HQ/EMEAFind out how we can help your business
The notorious BlackCat ransomware group leveraged stolen Microsoft credentials and the recently identified Sphynx encryptor to exploit Azure cloud storage owned by their targets.
The threat operators of this new variant of the Sphynx encryptor applied enhanced capabilities for using custom login credentials. This cybercriminal operation could start once the attackers steal a One-Time Password (OTP) from the victim’s LastPass vault through the LastPass Chrome extension.
Next, they will use the stolen OTP to access the Sophos Central account and turn off the Tamper protection so they can alter security policies. They could launch their encryption attack and lock down the Sophos customers’ systems and remote Azure cloud storage.
These attackers also add the .zk09cvt extension to all encrypted files. These ransomware operators have successfully encrypted 39 Azure Storage accounts.
The BlackCat group use stolen Azure keys to access their targeted portal.
The BlackCat group leveraged a stolen Azure key to breach their targeted Azure portal. This tactic allowed them to access their victim’s portal. The actors inject these keys into the ransomware binary and encode it using Base64.
Additionally, these miscreants adopted Remote Monitoring and Management tools, like Splashtop, AnyDesk, and Atera, throughout their intrusion.
This new malware variant first appeared earlier this year and the operators have executed a similar campaign using the payload.
Microsoft observed that the new Sphynx encryptor malware could embed the Remcom hacking tool and the Impacket networking framework to move laterally within a compromised network.
This threat organisation has consistently demonstrated sophistication in their attacks. They have successfully targeted global enterprises while continuously upgrading their tactics and adopting new strategies.
For example, last summer, they used a new extortion method by creating a dedicated clear web website to leak stolen information from specific victims, allowing customers and employees to check whether their data is one of the compromised information during the group’s attacks.
BlackCat showed no signs of slowing down; therefore, organisations and users should remain updated about their tactics to create a substantial defence strategy that could prevent or mitigate their attacks.
