(PatriotWise.com)- The Federal Bureau of Investigation put out a new alert that says a ransomware gang has been responsible for compromising 60 organizations across the world just since last month.
The FBI says the gang, known as BlackCat, was the first organization that was known to have written ransomware into the computer programming language called Rust. The group, which also is known by ALPHV, is believed to have a relationship with BlackMatter, also known as Darkside, which is a much more established gang of ransomware attackers.
The latter was responsible for the ransomware attack on the Colonial Pipeline in the U.S in May of 2021. That attack disrupted the fuel supply to much of the southeastern United States.
BlackCat first appeared on the scene last November. Researchers from Cisco Talos say that the group was created by “access brokers” who have sold off access to groups such as BlackMatter that are labeled as RaaS, or ransomware as a service. It’s a play on words to SaaS, or software as a service, that legitimate companies such as Microsoft and others sell to consumers and businesses.
In a report they issued in March, Cisco said most of the efforts the group has initiated have been focused on critical infrastructure companies in Europe. That being said, roughly 30% of the compromises coming from BlackCat have targeted companies in the U.S.
In its most recent alert, the FBI said:
“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using Rust, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.
“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero, but have accepted ransom payments below the initial ransom demand amount. Mnay of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/BlackMatter, indiciating they have extensive networks and experience with ransomware operations.”
The way that members of BlackCat gain access to a system is by user credentials that have been compromised. Following this first point of entry, the comprise the administrator accounts on Microsoft Active Directory, and then configure what are known as Group Policy Objects so that the ransomware can be deployed.
The group also uses tools that are legitimate in Windows so they can disable various anti-malware programs and other security features. It also allows them to copy their ransomware so it can be deployed to various locations on that company’s network.
Not only does the BlackCat group benefit financially from the ransomware it deploys, it also first steals vital data on the systems and then encrypts it, as a way to threaten a massive leak if the ransom demand isn’t met.
The FBI put out this alert in part to gain more information about any compromises that might involve BlackCat. It said:
“[The FBI is seeking] any information that can be shared, to include IP logs showing callbacks from foreign IP addresses, Bitcoin or Monero addresses and transaction IDs, communications with threat actors, the decryptor file, and/or a benign sample of an encrypted file.”