Image: solarseven, Getty Images/iStockphoto

A pair of new incidents from ransomware group BlackCat have come to light, via use of customized malware and attacks on shared cloud hosting services. New findings from Kaspersky detailing the group’s activities shows that BlackCat is now writing malware in Rust, a coding language not typically used by ransomware groups. The ransomware-as-a-service (RaaS) group is believed to be the successor to previous collectives such as REvil and BlackMatter.

“After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over their niche,” said Dmitry Galov, security researcher at Kaspersky’s Global Research and Analysis Team. “Knowledge of malware development, a new written-from-scratch sample in an unusual programming language and experience in maintaining infrastructure are turning the BlackCat group into a major player in the ransomware market.”

BlackCat’s recent ransomware attempts

Per Kaspersky’s findings, the RaaS group has targeted companies in different industries and different areas of the world. The first attack detailed in the blog was on a vulnerable ERP (enterprise resource planning) provider in the Middle East hosting multiple sites, while the second came against an oil, gas and mining company based in South America. The breadth and focus of the two attacks shows that BlackCat does not have a set manner of operating and looks for weaknesses in organizational systems.

The first attack against the ERP provider came when BlackCat dispatched two separate executable files to the same server, thus aiming at two enterprises having their sites hosted on the particular server. BlackCat then endeavored to exploit vulnerabilities in shared cloud environments before being shut down in its attempt. The group’s tactics mirrored a similar attack REvil used in 2019, showing the group is employing some of the same methods and software.

SEE: Mobile device security policy (TechRepublic Premium)

The second attack in question came in the form of ransomware delivery to the South American company. An attempt was made to deliver BlackCat’s ransomware to the construction company, using an executable file to the organization’s network using a customized tool known as Fendr, which had roots in BlackMatter’s ransomware attacks for exfiltrating data. This executable file was coded using Rust, making the process of dismantling the file a more arduous process.

“By analyzing these major incidents, we highlighted the main features, tools and techniques used by BlackCat while penetrating their victims’ networks,” Galov said. “This knowledge helps us keep our users safe and protected from known and unknown threats. We urge the cybersecurity community to join forces and work together against new cybercriminal groups for a safer future.”

What organizations can do to protect themselves

As part of Kaspersky’s report, the company provides several tips to businesses in case they are next on the target list:

  • Keep security software up-to-date across all devices
  • Educating employees on protecting the company via training
  • Focusing on identifying lateral movements and data exfiltration to the internet
  • Backing up data regularly and making sure it is available an emergency
  • Using the latest threat intelligence to stay up-to-date on attack vectors
  • Using security solutions to help identify suspicious activity

Operating with these protocols in mind is invaluable for businesses looking to avoid being exploited in the case of a cyberattack. While some of the tips suggested include deployment of security software which should be a major priority for organizations, making sure employees are keeping a look out for dubious activity should always be clearly communicated by the company. If various training can be the difference between paying hundreds of thousands of dollars in ransoms, it can be beneficial in the long run for employers to not only invest in up-to-date security software but also in the workforce itself to help prevent being exploited.