One of the most active and notorious ransomware gangs, BlackCat (also known as ALPHV) has made headlines again this week.
The BlackCat ransomware gang is a formidable threat to enterprises worldwide. They have already compromised hundreds of organizations worldwide, including Reddit, universities, government agencies, and companies in various sectors.
This group is known for its sophisticated attacks and double extortion tactics, which can leave victims facing significant financial losses and reputational damage. BlackCat is a ransomware-as-a-service (RaaS) operation, which means that the developers of the malware offer it for use by affiliates, who are responsible for compromising networks and deploying the ransomware. The developers then take a percentage of the ransom payments.
But this week, BlackCat took things a step further in their extortion schemes by submitting a complaint to the Securities and Exchange Commission (SEC), claiming that they had hacked into a U.S. company and that the company had failed to disclose that information to the SEC.
So, what can your organization do to better protect itself from ransomware gangs like BlackCat? In this post, we’ll discuss how the BlackCat ransomware gang typically gains access to an enterprise and provide cybersecurity best practices to help you protect your organization from becoming a victim.
What you should know about BlackCat
First, for those who may not know, ransomware is a form of malicious software that encrypts the data of its victims. Ransomware gangs then hold that encrypted data hostage to extort a ransom in exchange for decryption. This insidious software leaves victims in a precarious position, locked out of their own valuable information until they meet the demands of the perpetrators. In some cases, the attackers also threaten to expose the stolen data to the public or launch denial-of-service attacks if the ransom is not paid. This is known as double or triple extortion.
As a ransomware gang, BlackCat is notable for several reasons:
- It can target multiple devices and operating systems, including Windows, Linux, and VMWare instances.
- It is one of the first ransomware families written in Rust, a modern programming language that aims to evade detection by conventional security solutions.
- It was one of the first ransomware gangs to operate a public data leak site on the open internet (versus posting data only to the dark web). This public leak site contains samples of the victims’ data to pressure them to pay the ransom.
- It has also been known to mimic victims’ websites, to include typo-squatted replicas, while posting stolen data to further pressure victims to pay the ransom.
How does BlackCat/ALPHV get access to an enterprise?
The entry vectors for BlackCat vary depending on the RaaS affiliate that deploys it, but the most common ones are:
- Remote desktop applications, such as Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC), are often exposed to the internet and protected by weak or default credentials.
- Compromised credentials, which are obtained through phishing, brute force, or credential stuffing attacks, or purchased from initial access brokers on the dark web.
- Exchange server vulnerabilities, such as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, which allow remote code execution on the target server.
Once the attackers gain initial access to the network, they use various tools and techniques to move laterally, escalate privileges, evade defenses, exfiltrate data, and ultimately launch the ransomware payload.
How can you protect your enterprise from BlackCat/ALPHV ransomware?
The best way to prevent ransomware attacks is to adopt a proactive and comprehensive approach to cybersecurity, which includes the following best practices and tips:
- Strong cyber hygiene: Keep your systems and applications updated and patched, especially those that are exposed to the internet or contain sensitive data. This will help you avoid being exploited by known vulnerabilities that are often targeted by ransomware actors.
- Enable multi-factor authentication (MFA): Implement identity protections such as strong password policies and MFA for all accounts, especially those that have remote access capabilities or administrative privileges. This will help you prevent unauthorized access by attackers who use compromised credentials.
- Continuous security awareness: Educate your employees and users about the risks and signs of phishing and other social engineering attacks, which are often used to deliver ransomware or steal credentials. Teach them how to spot and report suspicious emails, links, attachments, and requests.
- Implement multiple layers of protection: Deploy and maintain a comprehensive security program, to include tools such as antivirus, firewall, endpoint detection and response (EDR), and network security monitoring (NSM). These tools can help you detect and block malicious activities and alert you of any potential threats.
- Implement a robust backup strategy: Create regular backups of your critical data, test them regularly, and store them offline or on a separate network. This way, you can restore your data in case of a ransomware attack without paying the ransom.
- Craft an incident response plan: Be sure to outline the roles and responsibilities of your team members, the steps to take in case of a ransomware attack, and the communication channels to use. This will help you respond quickly and effectively to minimize the impact and damage of the attack.
Ransomware isn’t going away. Every day, new victims are discovered or identified. With the recent SEC rule around disclosures, which follows other U.S. government agencies requiring critical infrastructure businesses to disclose a cybersecurity incident quickly, ransomware gangs are going to exploit these rules for their gain — as we saw with BlackCat this week.
All is not lost though. While ransomware gangs are unlikely to disappear, you can improve your security posture and reduce your risk by regularly reviewing foundational best practices, like regular patching and backups. If you’ve got that down, look to proactive security approaches, such as automated vulnerability scanning and remediation, to help protect against ransomware actors that are constantly evolving their tactics and techniques.
Are you sure that your organization is up to date its patching? Can you say with certainty that vulnerabilities found in your latest scan have been fixed? If you’d like to be able to confidently respond yes to these questions, schedule a Syxsense demo and rest easier.