Hunting BlackCat: A ransomware family on the rise

News -

Hunting BlackCat: A ransomware family on the rise

  • Logpoint research reveals that BlackCat has the fourth-highest number of victims in the last six months.
  • BlackCat uses its public leak site to intimidate victims, where anyone can easily search and access the leaked victim information.

COPENHAGEN, Denmark & BOSTON, December 8, 2022 – Intimidation is the name of the game with BlackCat ransomware. Victim information is made easily accessible on the BlackCat website, ransom demands increase, and encryption keys are deleted. The intimidation seems to be working. The ransomware group had the fourth highest number of victims from May to November 2022, Logpoint research reveals, and the highest ransom demanded so far is 14 million dollars.

Logpoint’s Security Analyst team has analyzed multiple variants of the BlackCat ransomware to understand its Tactics, Techniques, and Procedures (TTPs). The analysis reveals that the ransomware mainly achieved initial access via spearphishing, tricking victims into downloading macro-enabled documents. The ransomware supports multiple encryption modes along with intermittent encryption, providing speed and defense evasion capabilities. In addition, BlackCat uses the data destruction method to destroy essential data or render it useless, maximizing the impact on the victim.

“BlackCat operates under the Ransomware-as-a-Service (RaaS) model and uses both double and triple extortion techniques. Now that it’s spreading, organizations need to be extra cautious,” says Doron Davidson, VP Logpoint Global Services. “Each second wasted equals lost data, so organizations must implement preventive measures that enable detection, apply automation for enrichment and response, and keep contingency plans up their sleeve.”

To safeguard your organization against BlackCat, Logpoint recommends:

  • Monitor carefully for suspicious activity that shows the possibility of BlackCat infection, such as suspicious processes spawned by various Microsoft Office utilities
  • Simulate the worst-case scenarios regularly and make sure the incident response, playbooks, and disaster recovery plan are in place for working and continuity of business
  • Use segmentation or other methods to design the network in such a way as to maximize the reduction of impact from BlackCat

Read Logpoint’s blog post about hunting and remediating BlackCat ransomware here. It contains an in-depth technical analysis of execution and persistence, lateral movement, impact, and more. It also provides tangible means of detecting, investigating, and responding to BlackCat.

Related links

Topics

Categories

Contacts

Maimouna Corr Fonsbøl

Maimouna Corr Fonsbøl

Press contact Head of PR PR & Communications +45 25 66 82 98

Related content

Logpoint named a Major Player in 2022 IDC MarketScape for worldwide SIEM software

Logpoint named a Major Player in 2022 IDC MarketScape for worldwide SIEM software

Logpoint named a Major Player in 2022 IDC MarketScape for worldwide SIEM software

Logpoint 2023 predictions: The year of the business-driven CISO

Logpoint 2023 predictions: The year of the business-driven CISO

2023 is the year CISOs will be empowered – and forced – to address cybersecurity from a business perspective

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks

Cyber attackers hiding behind legal threats: A deep-dive into the IcedID gateway to sophisticated cyberattacks

Logpoint Global Services has researched the banking trojan IcedID, which has developed into a gateway for more sophisticated attacks. IcedID leverage legitimate infrastructure like contact forms and email to deliver fake legal threats or spoofed invoices.

LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model

LockBit: A deep-dive into the rapidly evolving RaaS gang and its unique business model

New Logpoint study unfolds the ransomware threat landscape in the wake of the LockBit 3.0 launch in June 2022. LockBit 3.0 introduces new unique services such as automatic data exfiltration and the world’s first ransomware bug-bounty program.

An old acquaintance resurfaces with new capabilities

QakBOT: An old acquaintance resurfaces with new capabilities

A new Logpoint study reveals that the latest QakBot malware version is heavily used in malspam campaigns by notorious ransomware gangs. The new QakBot emergence uses multiple, simple yet effective defense evasion techniques against static detection methods.

The resurgence of a crippling malware: How to threat hunt Emotet

The resurgence of a crippling malware: How to threat hunt Emotet

Logpoint research reveals that Emotet has developed into a Loader-as-a-Service - a dropper of other malware. Logpoint recommends looking out for its common TTPs, IoCs, and malicious macros to detect Emotet.

Warning about Russian threat actor Gamaredon

Warning about Russian threat actor Gamaredon: How to stay protected ahead of invasion anniversary cyber threat

Logpoint has conducted research into the hacktivist group Gamaredon, which according to Ukrainian CERT, is actively renewing attack efforts shifting focus from destruction to espionage and information stealing.

Royal ransomware investigation: How to brace for the sharp increase

Royal ransomware investigation: How to brace for the sharp increase

Logpoint research reveals what organizations should monitor for to safeguard against the rapid increase in royal ransomware attacks. The Royal ransomware group has leaked data of more than 60 victims since November 2022.