Rewterz Threat Update – BlackCat Ransomware Group Publishes Victims’ Data On The Clear Web

Severity

High

Analysis Summary

The BlackCat, aka ALPHV ransomware group, has developed a new approach to compel victims to pay the ransom. To enhance the pressure, the group began releasing victims’ data on the clear web. The public availability of stolen data increases the potential impact on victims.

BlackCat is a Ransomware family that is deployed as a part of a Ransomware as a Service (RaaS). This ransomware first appeared in November 2021. The program is written in the Rust programming language and can run on Windows, Linux-based operating systems (Debian, Ubuntu, ReadyNAS, Synology), and VMWare ESXi. The majority of the group’s victims have been in the United States, although BlackCat and its associates have also targeted organizations in Europe, the Philippines, and other regions. This ransomware can be set to encrypt files using either the AES or ChaCha20 algorithms. It can destroy volume shadow copies, terminate programs and services, and stop virtual machines on ESXi servers to maximize the quantity of ransomed data. Experts have speculated that the creator of BlackCat was previously involved with the REvil ransomware activities. The group implements a double-extortion model, threatening to release the stolen information if the victims do not pay.

Ransomware groups are always modifying their strategies in order to put more pressure on victims. To compel victims to pay, they either expose chunks of the stolen material or send emails to customers and workers informing them that their personal information has been taken. Extortion methods, on the other hand, do not always succeed, and corporations simply refuse to pay.

The purpose of this website is clear: to terrify victims into requesting that their data can only be removed from the website by paying the demanded ransom payment.

Impact

• File Encryption
• Data Exfiltration
• Information Theft

Remediation

• Maintain cyber hygiene by updating your anti-virus software and implement patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.
• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs) in your environment utilizing your respective security controls
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets