FBI Reveals Black Cat Ransomware Crossed At Least 60 Organizations With Bad Mojo
We all know that it is bad luck to cross a black cat. This particular black cat should make you run in the opposite direction. The FBI recently confirmed that the BlackCat ransomware compromised at least 60 organizations worldwide.
The breaches occurred between November 2021 and March 2022. BlackCat/ALPHV ransomware was able to acquire victims’ data from cloud providers and other locations where this data was stored. It took advantage of these compromised credentials to get into various systems and "compromise Active Directory user and administrator accounts."
According to the FBI, the malware utilizes “Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network.” The malware will then leverage Windows administrative tools and Microsoft Sysinternals. It is able to infect other hosts by leveraging Windows scripting. You can find a full list of indicators in the FBI’s FLASH alert.
The FBI is currently requesting information from anyone who has been impacted by the attacks or has information about the group. It believes that many members of the BlackCat/ALPHV ransomware group are also connected to Darkside/Blackmatter. It was reported last year that Darkside/Blackmatter had raked in 90 Million in Bitcoin ransom payments in just a few months. These links indicate that BlackCat/ALPHV has “extensive networks and experience with ransomware operations.”
The FBI noted that BlackCat/ALPHV usually requests “ransom payments of several million dollars in Bitcoin and Monero” but will often settle for lesser amounts. The FBI requests that victims do not pay the ransoms as there is no guarantee that their data will be recovered, but recognizes that some may choose to do so. It has asked that those who have been impacted by the attacks report them immediately to the FBI so that it can protect others in the future. It also recommends several practices to prevent such an attack from occurring in the first place. These recommendations include regularly backing up data, changing passwords and requiring MFA, updating antivirus and anti-malware software, and reviewing domain controllers, servers, workstations, and active directories for unrecognized accounts.
The breaches occurred between November 2021 and March 2022. BlackCat/ALPHV ransomware was able to acquire victims’ data from cloud providers and other locations where this data was stored. It took advantage of these compromised credentials to get into various systems and "compromise Active Directory user and administrator accounts."
According to the FBI, the malware utilizes “Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial deployment of the malware leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network.” The malware will then leverage Windows administrative tools and Microsoft Sysinternals. It is able to infect other hosts by leveraging Windows scripting. You can find a full list of indicators in the FBI’s FLASH alert.
The FBI noted that BlackCat/ALPHV usually requests “ransom payments of several million dollars in Bitcoin and Monero” but will often settle for lesser amounts. The FBI requests that victims do not pay the ransoms as there is no guarantee that their data will be recovered, but recognizes that some may choose to do so. It has asked that those who have been impacted by the attacks report them immediately to the FBI so that it can protect others in the future. It also recommends several practices to prevent such an attack from occurring in the first place. These recommendations include regularly backing up data, changing passwords and requiring MFA, updating antivirus and anti-malware software, and reviewing domain controllers, servers, workstations, and active directories for unrecognized accounts.
