BlackCat, also known as ALPHV, is a strain of ransomware that has been around since November 2021. To be more precise, BlackCat is actually a ransomware-as-a-service (RaaS) operation and is one of the most advanced RaaS operations to-date.
The BlackCat group has been attracting affiliates from other RaaS groups, with a 90% payout and a highly-customizable set of features, that will enable even the most novice affiliates to launch sophisticated attacks on corporations.
Thus far, the highest ransom demanded by BlackCat was $14 million, although there are discounts available for companies who pay up early. Of course, companies should only pay the ransom if it is absolutely necessary, as paying the ransom will fuel criminal activity, and there’s no guarantee that they will get their files back.
How Does BlackCat Ransomware Work?
BlackCat uses the “triple extortion” technique, which is where the attackers first take a copy of the victim’s data and then encrypt the data on the victim’s machine. The attackers will then either threaten to destroy the decryption keys, publicly disclose the data, and/or launch a distributed denial-of-service (DDoS) attack, if the victim refuses to pay the ransom.
An important difference between BlackCat and other strains of ransomware, is that BlackCat is written in the Rust programming language. We will likely see an increase in Rust-based malware as Rust is fast, secure, stable, allows for better memory management, and is able to evade existing detection capabilities. BlackCat can also be run on non-Windows operating systems, such as Linux. Since there are very few strains of malware that target Linux-based systems, Linux administrators may be less prepared to deal with the screen of doom than Windows administrators.
BlackCat is highly configurable. It includes a JSON file, which allows users to choose between four different encryption algorithms, customizes the ransom note, specifies which files, folders, and extensions to ignore, and specifies which services and processes should be terminated, in order to ensure that the files are encrypted properly. BlackCat can also be configured to work with domain credentials, which will better enable it to spread to other systems.
Examples of BlackCat Ransomware attacks
Given that BlackCat has only been around since the end of 2021, there are few real-life examples of BlackCat ransomware attacks. However, on January 29th, 2022, two German oil companies were hit by a ransomware attack that affected 233 gas stations across Germany. The attacks caused serious disruption and one of the largest oil and gas companies was forced to reroute supplies. It is believed that the BlackCat ransomware group was behind the attack, according to an article by ZDNet.com.
How to Protect Against BlackCat Ransomware Attacks
The methods used to protect your systems and data from BlackCat ransomware attacks are much the same as the methods used to protect against other forms of ransomware. These methods include:
Ensure that all employees are able to identify malicious emails, attachments, links, websites, apps, etc.
Encrypting sensitive data
Given that BlackCat will take copies of your data, it would be wise to ensure that all sensitive data is encrypted, in order to prevent the attackers from using it.
Take regular backups of your data and store them in a secure location.
Any updates/patches must be installed as soon as they become available. Consider using an automated patch management solution.
The use of strong passwords
Attackers will seek to compromise as many user accounts as possible in order to encrypt the most amount of files. Having a strong password policy, or better yet, implementing multi-factor authentication will help to prevent attackers from easily gaining access to other parts of your network.
Monitoring network traffic
Adopt a sophisticated intrusion prevention solution to ensure that you are able to detect and respond to suspicious inbound and outbound network traffic.
Monitoring file and folder activity
Use a real-time data-centric file auditing solution that will help you keep a close eye on how your files and folders are being accessed and used. As a priority, you should receive real-time alerts when documents containing non-sensitive data are encrypted. After all, if data isn’t sensitive, there should be no reason to encrypt it. Some newer solutions allow to you set up threshold conditions, and then trigger an alert or execute a custom script when the condition is met. For example, if x number of files are copied or encrypted within a given time frame, the script can disable user accounts, change the firewall settings, shut-down servers, and any other actions that will help to stop the attack in its tracks.