BlackCat: the hottest ransomware Group of the year

Written By Ross Francis

Historically criminals would have to raid banks or businesses to demand a ransom, but today they can commit the crime with absolutely no physical contact and from another part of the world. This is called ransomware, where malicious threat actors gain access to data, encrypt it and make computer systems inoperable until a ransom is paid.

As the ransomware epidemic escalates, cyber criminals are becoming smarter and cyber attacks are appearing to become more and more sophisticated. As a result, large-scale disrupting cyber attacks are becoming the norm.

Over the past year or so, cyber threats have risen to an all time high, from small scale smishing attacks aimed at the general public, to news breaking headlines of business and government ransomware attacks that are happening around the globe.


About BlackCat

One of the hottest cyber-gangs today is a ransomware group named BlackCat. According to Palo Alto Networks, BlackCat operates as a Ransomware as a Service (RaaS), allowing third party affiliates of the malware to keep 80-90% of ransomware profits, with remaining funds going directly to the creator. Available on cybercrime forums, the software has been active since Nov 2021 and has quickly gained attraction from affiliates, possibly because of the alluring share of the profits from using the RaaS.

Figure 1. Palo Alto Data: BlackCat leak site victims by country.


The RaaS is also highly sophisticated and is possibly one of the first ever malware used for ransomware to be written in the Rust coding language. This gives ALPHV’s (BlackCat’s) malware the ability to target multiple computer systems, including Windows, Linux, and VMWare ESXi systems. According to Palo Alto, there are reports of ransomware all over the world, mainly U.S. targeted (41.7%), followed by Germany, Netherlands, France, Spain and the Philippines.


BlackCat headlines

The ransomware group is quickly gaining notoriety. Most recently on the 11th Feb, Aviation group Swissport announced that they had become a victim of a ransomware attack, forcing flights to be delayed and other disruptions. The company announced the attack via twitter:

"IT security incident at #Swissport contained. Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologise for any inconvenience."

The BlackCat ransomware group has claimed responsibility for the attack. According to Pierluigi Paganini, member of the ENISA, BlackCat ransomware operators leaked a sample of data allegedly stolen during the ransomware attack, claiming to have stolen 1.6TB of data that is available for sale.

The leaked data is said to include business documents, tax declarations, images of passports, and ID cards of individuals. Leaked data also includes personal information of job candidates, including name, passport number, nationality, religion, email, phone number, job role, interview scores, and more.

More large-scale disruptions include their link to the cyber attack that was announced on the 29th Jan, targeted at two German oil companies. This attack caused mass disruption, affecting hundreds of gas stations across Germany.

Similarities of this attack have also been linked to the infamous DarkSide cyber-gang, who were accused of the attack on the Colonial Pipeline Co. in 2021, shutting down the largest gasoline pipeline in the U.S. for several days. After the Colonial Pipeline attack, Darkside were shut down by law enforcement and are now members of the gang who are believed to have reformed under the BlackCat cyber-group.


How can I protect my organisation from ransomware?

Protecting your organisation from ransomware can be challenging. Many preventative measures can be implemented, from educating your employees, to ensuring that you have the latest antivirus softwares and making sure that all of your data is secure and backed up. Despite having these in place, a vulnerability in one of your third party suppliers' infrastructure can still act as an entry point for an attacker.

Learn how secure your business is today with an instant, non-intrusive, free assessment of your organisation. Gain digital risk intelligence over your entire vendor ecosystem with security ratings integrated into leading GRC and VRM solutions. Sign up here to receive your free security score.

Ross Francis
Previous

How to backup your digital workspace
Next

How has 2021 revolutionised cybersecurity?