Written in the modern programming language Rust, in which intrusions may be more difficult to detect, BlackCat ransomware as service (RasS) emerged in November of 2021. RaaS refers to a cyber criminal network of ransomware access brokers, operators and affiliates. Perpetrators of BlackCat have engaged in “double extortion”, in which a ransom demand related to data encryption is made, followed by another ransom demand related to the threat of public data exposure. BlackCat threat actors have published stolen sensitive and searchable PII (personally identifiable information) on the public internet. See, Krebs on Security, ALPHV/BlackCat Ransomware Group Debuts Searchable Victim Data. The FBI has reported that as of April 2022, BlackCat had compromised at least 60 entities worldwide.
BlackCat is not reliant on human interaction to deploy and is able to self propagate. It can target and encrypt Windows and Linux devices, as well as VMWare instances. Infiltrations have occurred via compromised accounts, remote access vulnerabilities and the exploitation of MS Exchange vulnerabilities. For IoCs (indicators of compromise), TTPs (techniques, tactics and procedures), and mitigation strategies for organizations, see the above-referenced FBI report and the following Microsoft blog post, The many lives of BlackCat ransomware.
To avoid these types of cyber threats:
- Update your devices regularly, as patches address known security vulnerabilities.
- Use strong (long) unique passwords or passphrases on all of your accounts (14+ characters). Use passwords that are hard to guess and do not share them with others.
- Use MFA on all available accounts. MFA protects you if your login credentials are compromised by adding a second layer of security.
- Maintain securely stored offline backups.
If you know or suspect you may have a ransomware infection, disconnect from the network and all connected systems, but do not power off, and immediately email AskIT@nyu.edu, security@nyu.edu, and your local IT Admin (if you have one).