The U.S. Federal Bureau of Investigation (FBI) has warned the public of the BlackCat ransomware-as-a-service (RaaS). The ransomware has affected 60 entities globally as of March 2022 (Emerged in November 2021).
The ransomware, also known as ALPHV and Noberus, is significant as it’s the first malware written in the Rust programming language, which is memory safe and offers enhanced performance.
“Many of the developers and money launderers for BlackCat/ALPHV are linked to DarkSide/BlackMatter, indicating they have extensive networks and experience with ransomware operations,” the FBI said in an advisory published last week.
The warning comes weeks after two reports from Cisco Talos and Kasperksy found the links between BlackCat and BlackMatter ransomware families. It was found that an altered version of the data exfiltration tool called Fendr was used in BlackCat that was previously only seen in BlackMatter-related activity.
“Aside from the developing advantages Rust offers, the attackers also take advantage of a lower detection ratio from static analysis tools, which aren’t usually adapted to all programming languages,” AT&T Alien Labs pointed out earlier this year.
BlackCat’s method, like other RaaS groups, entails stealing victim data before executing the ransomware and the malware often uses compromised user credentials to initially access the target system.
Forescout’s Vedere Labs studied the BlackCat ransomware incident and said that an internet-exposed SoincWall firewall was infiltrated to initially access the network. The firewall was overrun before the attackers encrypted a VMware ESXi virtual farm. The ransomware was deployed on March 17, 2022.
Law enforcement, apart from recommending prompt reporting of ransomware incidents, has said that it doesn’t suggest that victims pay the ransomware demand as it doesn’t ensure recovery of encrypted files.
The FBI is urging organizations to review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts, take offline backups, implement network segmentation, apply software updates, and secure accounts with multi-factor authentication.