Rewterz Threat Advisory – CVE-2022-42436 – IBM MQ Vulnerability
March 19, 2023Rewterz Threat Alert -Russian-Linked NOBELIUM APT Group Abuses EU Information Exchange Systems In Attacks Aimed At Government – Active IOCs
March 20, 2023Rewterz Threat Advisory – CVE-2022-42436 – IBM MQ Vulnerability
March 19, 2023Rewterz Threat Alert -Russian-Linked NOBELIUM APT Group Abuses EU Information Exchange Systems In Attacks Aimed At Government – Active IOCs
March 20, 2023Severity
High
Analysis Summary
BlackCat – aka AlphaVM & AlphaV – is a Ransomware family that is deployed as a part of a Ransomware as a Service (RaaS). It is written in the Rust programming language and can run on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi.
This ransomware first appeared in November 2021. The majority of the group’s victims have been in the United States, although BlackCat and its associates have also targeted organizations in Europe, the Philippines, and other regions. Construction and engineering, retail, transportation, commercial services, insurance, machinery, professional services, telecommunication, auto components, and medicines are among the targeted sectors of BlackCat ransomware. This ransomware can be set to encrypt files using either the AES or ChaCha20 algorithms. It can destroy volume shadow copies, terminate programs and services, and stop virtual machines on ESXi servers to maximize the quantity of ransomed data.
As with other ransomware families, BlackCat encrypts the victim’s files and demands payment in exchange for the decryption key. It is important for individuals and organizations to take proactive steps to protect themselves against ransomware, such as regularly backing up important files, implementing strong passwords and multi-factor authentication, and staying up-to-date with software patches and security updates.
Impact
- File Encryption
Indicators of Compromise
MD5
- b67ffe5e49ada7628ae9c32eaa3b4ce3
- 5ec0db562fbf982be4d10db97aef0c81
- 06c88ddc3cc18c4e7d5dc7a8a5de6477
SHA-256
- 62ae5ad22213d2adaf0e7cf1ce23ff47b996f60065244b63f361a22daed2bdda
- 38d5f4f37686dab8b082b591224e272883644caab6a814e7751981da00523c51
- 1d6d47bf20d21b860d232a358481c477c36491134ea976372c69a0483e05a556
SHA-1
- ddd203bae26ac216e0fa0548c2cbb02891edb12c
- 6d4f370387b328408b711d754ceba0b0b5944952
- 885441c9e592e5c6e23867b85a96e142bf45ebcf
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.