Hackers Targeting Exchange Servers to Deploy BlackCat Ransomware

Microsoft has published a blog detailing BlackCat Ransomware, also called ALPHV, a prevalent threat and a major example of the growing ransomware-as-a-service (RaaS) gig economy.

The ransomware was first observed in November 2021, BlackCat was one of the first ransomware families written in the Rust programming language.

According to the Microsoft 365 Defender Threat Intelligence Team, “BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid”.

BlackCat Ransomware

Microsoft says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities. By utilizing an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec.

This Ransomware uses a modern language for its payload and attempts to escape detection by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language.

The ransomware targets multiple devices and operating systems. Microsoft noticed successful attacks against Windows and Linux devices and VMWare instances.

The report says, the impact of this ransomware has been observed in various countries and regions in Africa, the Americas, Asia, and Europe. Microsoft recommends Microsoft 365 Defender, which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.

Microsoft states that BlackCat can bypass User-Account Control (UAC) which means the payload will successfully run even if it runs from a non-administrator context. Particularly, the ransomware can find out the computer name of the given system, local drives on a device, and the AD domain name and username on a device.

The malware can also recognize whether a user has domain admin privileges, thus increasing its capability of ransoming more devices. The report says, “BlackCat discovers all servers that are connected to a network”. The company says several cybercrime groups are now affiliates of this Ransomware as a Service (RaaS) operation and are actively using it in attacks.

BlackCat ransomware attack chain via Exchange vulnerability exploitation

Protecting Against BlackCat Ransomware Attack

Microsoft says that organizations must move their defensive strategies to prevent the end-to-end attack chain. Also, hardening networks through various best practices such as access monitoring and proper patch management is essential.

The defenders should re-examine their organization’s identity posture, check external access, and locate vulnerable Exchange servers in their environment to update as soon as possible.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.