BlackCat, also known as Noberus or ALPHV ransomware, was created by a group of Russian-speaking cybercriminals. It was first discovered in 2021 and has been the most active form of malware since then. The malware is written in the Rust programming language and is more difficult to remove. It affected businesses in the fields of construction, energy, technology, manufacturing, healthcare, and retail.
This malware is being used as ransomware-as-a-service (RaaS) by ALPHV, a Russian-speaking group of cybercrime actors.
Signs of a BlackCat Attack
BlackCat attacks include file hash signatures, domains released by the FBI and other malware analysis reports, and command and control (C2) IP addresses.
Signs that help to identify BlackCat attacks:
- Adding random extensions to individual encrypted files that are unique for each campaign.
- Employing a distinctive ransom note format that distinguishes BlackCat from other ransomware.
- The ransom notes above include a link to a distinct TOR website showing evidence of exfiltrated and ransomed data.
- Creating a file called ‘RECOER-<random>-NOTES.txt’ in each directory that contains ransomed files.
Reasons for ransomware:
This could happen if you download a game or application from an unverified site otherwise entering into the malicious link. When this happens, the user is denied access to any files on their computer. To regain access, you need to pay the fine they imposed. The fine will be mostly in the form of Bitcoins, the wallet address will also be given. There is no guarantee that they get the access back after sending out the Bitcoin.
How ransomware spreads?
- Phishing: The attacker will send an anonymous email to the victim, such as Google ads promoting fake downloads of popular software.
- Malware
- Third-party apps
- Connecting to the unreliable Wi-Fi
- Remote desktop protocol
Types of Ransomware
- Locker ransomware: Denied access to the user files, access will be given only after ransom or fines are paid.
- Crypto ransomware: Uses encryption to extort money from files on a desktop or mobile device.
- Scareware: a hacking technique that coerces victims into installing malicious software or accessing spoof or compromised websites.
How to avoid ransomware?
- Be aware of the potential risks associated with ransomware and how to track potential threats, prevent them, and respond suitably if an attack happens.
- Back up all data to a cloud storage, physical drive, or a different computer.
- Do updates especially security updates as early as possible. Software updates contain security patches that could work efficiently against ransomware attackers.
- Install an anti-virus application.
- Encrypt sensitive data; this includes converting the data into a code that is difficult to decode without an encryption key.
- Try to keep a strong password and implement multi-factor authentication; this will protect the other parts of the network from attackers.
- Monitor network traffic as this involves exploring the data flow between devices on the network which includes incoming and outgoing traffic.
- Keep an eye on the file and folder activity to know how these are being accessed and used.
- Employ Multi-factor Authentication (MFA), other than confined or trusting a username and strong password, using MFA will help you to validate a user’s identity.
Let’s check how BlackCat ransomware works
BlackCat gets initial access to the IT environment and user account in several different ways, which we have already discussed above. Immediately after the device is infected by this malware, cybercriminals encrypt files and data on servers and individual machines, access will be denied for the user. BlackCat groups may also perform data extrusion before encrypting it.
Also Read: Bitcoin’s 32 Halvings: What To Expect After They’re Complete?
FAQs
A. Ransomware is a type of malicious software or malware that encrypts files on the device, denying access and rendering files unusable until a ransom is paid.
A. A sort of business model known as ransomware as a service (RaaS) involves ransomware developers and operators leasing their software to criminal associates or carrying out assaults on behalf of other cybercriminals.
A. BlackCat strategically targets large organizations for substantial ransom payments, demanding varying sums, typically from the hundreds of thousands to millions of dollars in cryptocurrency. 20+ organizations have been identified on the group’s Tor leak site hailing from multiple countries around the world. Targeted industries include business services, construction, energy, fashion, finance, logistics, manufacturing, pharmaceuticals, retail, and technology.