Two of the “most prolific” affiliate threat groups, which have been associated with several ransomware families, including Hive, Conti and Ryuk, are now deploying the BlackCat ransomware-as-a-service (RaaS), new Microsoft research revealed.
Researchers tracking BlackCat deployments face a challenge that’s currently prevalent in the ransomware threat landscape: Because it relies on the RaaS affiliate model, no two BlackCat deployments might look the same, with different affiliates utilizing different tactics. For instance, two separate BlackCat deployments recently observed by Microsoft used two initial access vectors - one using compromised credentials, and the other exploiting a vulnerable Microsoft Exchange server - as well as different persistence, credential exfiltration and lateral movement methods.
This can throw a wrench in the ability to pin down commonly-used TTPs for the ransomware beyond the basics. Still, the outcome of BlackCat - data being encrypted, exfiltrated and used for "double extortion" - is the same, and researchers said organizations can defend against the ransomware family by addressing common issues like poor credential hygiene or misconfigurations.
"Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat," said Microsoft’s 365 Defender Threat Intelligence team in a Monday analysis. "Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats."
Researchers observed the financially-motivated DEV-0237 group (also known as FIN12), adding BlackCat to its list of distributed payloads starting in March. The group is known for its distribution of Conti, Ryuk and, most recently, the Hive ransomware.
“Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies,” said researchers.
Another well-known active affiliate group, DEV-0504, adopted BlackCat starting in December. The group has previously delivered ransomware families like BlackMatter, Conti, LockBit 2.0, REvil and Ryuk. DEV-0504 has several known TTPs, including using an initial vector that involves remotely signing into devices with compromised credentials. It is also known for using tools like Mimikatz for credential theft, StealBit for data exfiltration and PsExec for distributing the ransomware payload.
Certain features of BlackCat are specifically customized for affiliates, so it may be no surprise that these popular affiliate groups have started leveraging the ransomware. For instance, the BlackCat payload allows affiliates to customize execution to the environment. The ransomware's self-propagation feature is also configurable by an affiliate for individual environments.
Recently Observed BlackCat Incidents
Researchers also observed two incidents that were launched by other unnamed threat actors, with marked differences that show how TTPs for BlackCat ransomware deployments vary from affiliate to affiliate. In one incident, for instance, the actor leveraged an unpatched Exchange server for initial access. The attackers then created a dump file of LSASS processes to steal credentials using malware or the Task Manager, and then performed lateral movement by signing into target devices using the Remote Desktop client. As part of this attack, actors exfiltrated intellectual property data.
In a second incident, an affiliate gained access by using compromised credentials to sign into an internet-facing Remote Desktop server. In this case, the attackers performed lateral movement by dropping legitimate, unnamed software deployment and Remote Desktop solutions via SMB. Another difference here is that while performing credential theft the actors configured the WDigest authentication protocol to store passwords in cleartext, and used Mimikatz to dump credentials. The attackers also created a new user and added the account to the local administrator group in order to set up persistence.
Since first being observed in November 2021, BlackCat has been labeled “the most sophisticated ransomware of 2021,” and has targeted multiple devices and operating systems, including Windows and Linux devices. The ransomware is known to be written in the modern Rust programming language, and also for using a binary payload that is specially crafted for each specific target, making detection harder. In April, the FBI warned U.S. organizations of BlackCat attacks and said it has compromised at least 60 entities globally as of March. At the time, the FBI said it was seeking any further information on the ransomware, including IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with the threat actors, decryptor files or benign samples of encrypted files.
Researchers said they have observed the ransomware being deployed in various regions in Africa, the Americas, Asia and Europe. Organizations can protect themselves by closely monitoring external access and locating any vulnerable Exchange servers in their environment, said Microsoft researchers.
“In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers,” said Microsoft researchers. “The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices.”