Oct 04 2022

BlackCat Ransomware Gang Claims to Have Hacked US Department of Defense Contractor

Category: Hacking,RansomwareDISC @ 8:47 am
BlackCat Ransomware Gang Claims to Have Hacked US Department of Defense Contractor

NJVC has been added to the victim list of the BlackCat (ALPHV) ransomware gang. NJVC provides IT support to the US government’s intelligence and defense organizations.

With annual revenue of over $290 million, the company NJVC has a very impressive record. It is claimed that the BlackCat Ransomware Gang has hacked the Department of Defense of the United States of America.

https://twitter.com/ido_cohen2/status/1575400938445148160?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1575400938445148160%7Ctwgr%5E976c826f6097a93f3c2ed9be16ee13aa180e1e03%7Ctwcon%5Es1_c10&ref_url=https%3A%2F%2Fgbhackers.com%2Fblackcat-ransomware-gang%2F

DarkFeed, a deep web intelligence company that operates on the dark web, spotted the message on 28 September. There was a breach declaration provided by BlackCat, which resulted in its immediate suspension. TheRegister said.

Until 30 September, the Dark Web site that hosted BlackCat’s leak site was accessible. NJVC is no longer listed as a victim of the gang and has been removed from its website.

“We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” ALPHV said, per the screenshot.

Professional Rookies

In late 2021, the first outbreaks of BlackCat ransomware were observed, and the Rust programming language was used in BlackCat. 

Ransomware-as-a-service (RaaS) is one of the business models operated by this organization, just like so many others in the criminal underworld.

A number of prominent ransomware families are known to have been used by threat actors who started deploying BlackCat ransomware.

Here below we have mentioned those ransomware families:-

  • Conti
  • LockBit
  • REvil

Darkside and Blackmatter ransomware cartels are linked with the BlackCat cartel. This group may have a well-established network with close ties to the ransomware industry in the case of the ransomware business.

As one of the most active ransomware gangs in recent years, BlackCat has been among the most prominent. It is estimated that in 2022, near about 12% of all attacks were perpetrated by this group.

It is estimated that the group’s activity has increased by 117% since the quarter before, in comparison with the quarter prior. Moreover, as part of the group’s strategy, high-profile, critical industries are being targeted by the group.

Cheerscrypt Linux-based Ransomware Encrypt Both Linux & Windows Systems

Ransomware Protection Playbook

Tags: BlackCat, Department of Defense

Apr 25 2022

BlackCat Ransomware gang breached over 60 orgs worldwide

Category: Ransomware,Security BreachDISC @ 7:53 am
BlackCat Ransomware gang breached over 60 orgs worldwide

At least 60 entities worldwide have been breached by BlackCat ransomware, warns a flash report published by the U.S. FBI.

The U.S. Federal Bureau of Investigation (FBI) published a flash report that states that at least 60 entities worldwide have been breached by BlackCat ransomware (aka ALPHV and Noberus) since it started its operations in November.

“The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide.” reads the flash advisory. “CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations.”

The list of the victims of the gang includes Moncler, the Swissport, and Inetum.

The BlackCat/ALPHV a Ransomware was first discovered in December by malware researchers from Recorded Future and MalwareHunterTeam. The malware is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

According to the alert, many of the developers and money launderers for gang are linked to
Darkside/Blackmatter operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

ALPHV is attempting to recruit affiliates for its operations, offering them between 80% and 90% of the final ransom, depending on its value. The BlackCat operations only hit a small number of victims at this time in the USA, Australia, and India.

Ransom demands range from a few hundreds of thousands up to $3M worth of Bitcoin or Monero.

The alert includes indicators of compromise (IoCs) associated with BlackCat/ALPHV, as of mid-February 2022.

The FBI is seeking any information that can be shared related to the operations of the BlackCat ransomware operation.

Below are recommended mitigations included in the alert:

  • Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  • Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating system defined or recognized scheduled tasks for unrecognized “actions” (for example: review the steps each scheduled task is expected to perform).
  • Review antivirus logs for indications they were unexpectedly turned off.
  • Implement network segmentation.
  • Require administrator credentials to install software.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
  • Use multifactor authentication where possible.
  • Regularly change passwords to network systems and accounts, and avoid reusing passwords for different accounts.
  • Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install and regularly update antivirus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.

Ransomware Protection Playbook

Tags: BlackCat