BlackCat ransomware breached over 60 organizations worldwide

Ransomware attacks increasingly hit different organizations like universities and lead to breaches

Ransomware targets remote working people and organziations. Reports also show major similarities between huge strains of cryptovirus

FBI warns of a particular BlackCat ransomware gang that managed to cause breaches after attacking more than 60 companies across the world. The ransomware-as-a-service that attacked devices since November 2021 and managed to make 60 victims by March 2022 is also named Noberus or ALPHV.^[1] The ransomware is known for being the first malware written in the Rust programming language that is typically known to be memory safe and offer improved performance.^[2]

This ransomware is linked with multiple gang members like money extortionists and creators responsible for the BlackMatter or DarkSide ransomware attacks.^[3] There are indications that the team is experienced in these kinds of attacks and operations triggering cryptovirus attacks and malware installations.

FBI released the advisory where all the technical details are listed on the BlackCat ransomware operations and attacks that happened in the short time of six months. The agency even lists possible recommendations for avoidance and security risk prevention and encourages users and administrators to review these details and apply possible mitigations.

Major similarities with huge ransomware gangs

The advisory from the FBI comes not long after the reports that Cisco Talos and Kaspersky issued revealing these links between BlackCat and BlackMatter ransomware gangs.^[4] It is revealed that these gangs use the modified version of a tool used for data exfiltration named Fendr. It has been previously used in BlackMatter operations. The initial Rust development provides advantages, but attackers also have a lower detection ratio from static analysis tools here. It is not usual for other programming languages.

BlackCat ransomware also is not only a ransomware-as-a-service but t modus operandi that involves the theft of various information before the ransomware execution. The obtained data can often be leveraged to get payments once the ransom is not paid or compromised credentials are used to gain initial access to the targeted systems.

There were a lot of different analyses done on this family because this is a prominent ransomware gang. All of the research shows that some attacks were successful due to the penetration methods used. The SonicWall firewall was accessed to later encrypt VMware ESXi virtual farm. This incident took place back in March 2022. Law enforcement agencies continue to analyze and release reports with mitigations.

Ransomware chooses different targets more often and shift the focus

Ransomware attacks now going on in universities and costing a lot of the officials. Schools and universities face huge numbers of ransomware attacks and various cyber security incidents more recently.^[5] These attacks severely impact the education sector and it happened for years, but the recent warnings from agencies raise attention to more recent issues.

There is an increased threat of cryptovirus attacks against this education sector. Reports show that dozens of UK universities, colleges, and schools have been attacked since 2020. These ransomware infections disrupt the world for students and staff, so institutions spend huge amounts of money while trying to solve the issues.

In some cases, these costs can exceed $3 million marks. Also,o there are additional losses when officials consider paying the ransom. However, that is never a good idea. It is rarely possible to fully recover from such incidents, so losses can be major nevertheless.