Microsoft provides details about BlackCat ransomware’s techniques and capabilities

The BlackCat ransomware is known for its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. A new blog post, the Microsoft 365 Defender Threat Intelligence Team provides details about the ransomware's techniques and capabilities whilst offering best practices and recommendations to help defenders protect their organizations against this threat. 

Based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe. Microsoft said it observed two of the most prolific affiliate groups associated with ransomware deployments deploying BlackCat: DEV-0237 known for its distribution of Hive, Conti, and Ryuk ransomware and DEV-0504 which has been observed delivering Ryuk, REvil, BlackMatter, and Conti.

According to Microsoft, BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to the environment encountered.

• BlackCat can bypass user account control (UAC), meaning the payload will successfully run even if it runs from a non-administrator context.
• It can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device.
• As already mentioned, this ransomware has self-propagation capabilities. It discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices and then it attempts to replicate itself on the answering servers.
• BlackCat also hampers recovery efforts

As observed by the Microsoft 365 Defender Threat Intelligence Team, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers. Therefore, defenders are advised to review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible.

"The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices," Microsoft said.

More details can be found here.