Who are dreaded Blackcats and why the US govt placed $10mn bounty on them?

The Blackcat hunt: The US State Department has announced a reward of up to $10 million for any information leading to the identification of the "Blackcat" ransomware group. This group targeted the tech unit of UnitedHealth Group, resulting in major disruptions to insurance payments across the United States.

According to the State Department, the "ALPHV Blackcat" ransomware-as-a-service group infiltrated computer networks belonging to critical infrastructure sectors both in the United States and globally.

What is Ransomware? 

Ransomware is a type of malicious software (malware) designed to block access to a computer system or files until a sum of money, or "ransom," is paid. It typically encrypts files on the victim's system, making them inaccessible, and then demands payment in exchange for a decryption key or to restore access. 

Ransomware attacks can be delivered through various means, including email attachments, compromised websites, or exploiting vulnerabilities in software. These attacks can have severe consequences for individuals, businesses, and organisations, often resulting in financial losses, data breaches, and disruption of operations.

What is Blackcat ransomware? 

Blackcat is an advanced ransomware group using Rust, a secure programming language, to target a wide range of systems. Their Ransomware-as-a-Service (RaaS) model offers affiliates 80-90 per cent of profits, attracting attackers and facilitating rapid expansion. 

The Blackcat ransomware group has gained notoriety for its cyber operations, with the FBI reporting an uptick in its activity since mid-November 2021. The group has targeted more than 60 victims according to a FLASH alert published in April 2022.

They differentiate by hosting a public data leaks website, increasing visibility to potential victims and pressuring them to comply. This strategy, combined with Rust's complexity and encryption efficiency, poses challenges for security analysts and underlines Blackcat's sophisticated approach to cybercrime.

How does Blackcat hunt? 

The group employs sophisticated techniques to infiltrate and compromise systems. They typically gain initial access using compromised user credentials and then proceed to compromise user and admin accounts in the Active Directory. This allows them to configure malicious Group Policy Objects (GPOs) through the Windows Task Scheduler, facilitating the deployment of their ransomware payload.

Once deployed, Blackcat disables security features within the victim's network to facilitate the exfiltration of information before executing its ransomware. The group uses various batch and PowerShell scripts in its infection process, including "est.bat," which copies the ransomware to other locations, and "drag-and-drop-target.bat," which launches the ransomware executable specifically for MySQL Server.

Victims of Blackcat ransomware attacks often face significant challenges in recovering their data, as evidenced by the incident response of a member organisation of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Despite efforts to restore domain controllers and servers, the organisation was only partially successful, losing significant data in the process.

As with any cyber threat, organisations should remain vigilant and implement robust security measures to mitigate the risk of falling victim to ransomware attacks perpetrated by groups like Blackcat.