4.1 C
New York
Monday, February 6, 2023

FBI: This ransomware written in the Rust programming language has hit at least 60 targets – ZDNet

The BlackCat ransomware gang has claimed at least 60 victims worldwide.
Liam Tung is a full-time freelance technology journalist who writes for several Australian publications.
The BlackCat ransomware gang, known for being the first to use ransomware written in the Rust programming language, has compromised at least 60 organizations worldwide since March 2022, the Federal Bureau of Investigation (FBI) says in a new alert. 
BlackCat, which also goes by the name ALPHV, is a relatively new ransomware-as-a-service gang that security researchers believe is related to the more established BlackMatter (aka Darkside) ransomware gang that hit US fuel distributor Colonial Pipeline last May. 
BlackCat appeared in November 2021 and was created by compromise experts or ‘access brokers’ that have sold access to multiple RaaS groups, including BlackMatter, according to Cisco’s Talos researchers
SEE: These are the problems that cause headaches for bug bounty hunters
As ZDNet reported in February, BlackCat has hit several high-profile companies since December, including Swiss airport management service Swissport and two German oil suppliers
While much of the group’s efforts have been focused on striking several European critical infrastructure firms, Cisco notes in a March report that more than 30% of BlackCat compromises have targeted US firms. 
“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using Rust, considered to be a more secure programming language that offers improved performance and reliable concurrent processing,” the FBI says in its alert detailing BlackCAT/ALPHV indicators of compromise. 
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter, indicating they have extensive networks and experience with ransomware operations,” it continues. 
The BlackCat gang uses previously compromised user credentials to gain initial access to the victim’s system. The group then compromises Microsoft Active Directory user and administrator accounts and uses the Windows Task Scheduler to configure Group Policy Objects to deploy the ransomware. 
BlackCat also uses legitimate Windows tools – such as Microsoft Sysinternals, as well as PowerShell scripts – to disable security features in anti-malware tools, launch ransomware executables including on MySQL databases, and copy ransomware to other locations on a network. 
The group practices double extortion by stealing data prior to encrypting it in order to threaten victims with a leak in the event they don’t pay a ransom demand.       
Cisco said it was unlikely the BlackCat gang or affiliates were using an Exchange flaw. However, Trend Micro researchers last week claimed to have identified BlackCat exploiting the Exchange bug CVE-2021-31207 during an investigation. That was one of the ProxyShell Exchange bugs discovered in mid-2021.      
BlackCat has versions that work on Windows and Linux, as well as VMware’s ESXi environment, notes Trend Micro.
“In this incident, we identified the exploitation of CVE-2021-31207. This vulnerability abuses the New-MailboxExportRequest PowerShell command to export the user mailbox to an arbitrary file location, which could be used to write a web shell on the Exchange Server,” the firm said
SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easy
The Cybersecurity and Infrastructure Security Agency is urging organizations to review the FBI’s alert.
The FBI is seeking information from the public about BlackCat compromises. It wants “any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, the decryptor file, and/or a benign sample of an encrypted file.”
As Windows Task Scheduler is commonly used by attackers to hide malicious activity within seemingly normal admin tasks, the FBI recommends organizations review Task Scheduler for unrecognized scheduled tasks, as well as to check domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
CleanMyMac X review: The quickest, easiest and best way to declutter your Mac

Save $10 off a three-year VPNCity subscription during our Spring Refresh sale

The best Amazon Prime alternatives: Cheaper options, just as fast

The best stereo speakers: Build the perfect stereo system

Build and automate your workflows with $140 off KonnectzIT

The best smart lock 2022: Secure your home and business

Best portable jump starters: Before it’s too late

Personalize your own chatbot with this no-code builder

The best Linux distros for programming: Our top 5 choices

Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy.
You agree to receive updates, promotions, and alerts from ZDNet.com. You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
© 2022 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use


Related Articles


Please enter your comment!
Please enter your name here

Latest Articles