Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is BlackCat Ransomware and How to Protect Against it?

BlackCat Ransomware

What is BlackCat Ransomware?

BlackCat, also known as ALPHV, is a strain of ransomware that has been around since November 2021. To be more precise, BlackCat is actually a ransomware-as-a-service (RaaS) operation and is one of the most advanced RaaS operations to date.

Blackcat ransomware is designed to be difficult to remove and may attempt to disable antivirus software or other security measures. It may also modify system files and settings to ensure persistence and to make it more challenging to recover from the attack.

The BlackCat group has been attracting affiliates from other RaaS groups, with a 90% payout and a highly-customizable set of features, that will enable even the most novice affiliates to launch sophisticated attacks on corporations.

Thus far, the highest ransom demanded by BlackCat was $14 million, although there are discounts available for companies who pay up early. Of course, companies should only pay the ransom if it is absolutely necessary, as paying the ransom will fuel criminal activity, and there’s no guarantee that they will get their files back.

The attackers then demand payment, typically in the form of cryptocurrency, such as Bitcoin, in exchange for the decryption key. The ransomware may also display a message on the victim’s screen with instructions on how to pay the ransom and receive the decryption key.

How Does BlackCat Ransomware Spread?

BlackCat uses a malware-infected email or website link to bait its victims. It’s so strong that it spreads across the entire system very rapidly.

BlackCat uses the “triple extortion” technique, which is where the attackers first take a copy of the victim’s data and then encrypt the data on the victim’s machine. The attackers will then either threaten to destroy the decryption keys, publicly disclose the data, and/or launch a distributed denial-of-service (DDoS) attack, if the victim refuses to pay the ransom.

An important difference between BlackCat and other strains of ransomware, is that BlackCat is written in the Rust programming language. We will likely see an increase in Rust-based malware as Rust is fast, secure, stable, allows for better memory management, and is able to evade existing detection capabilities. BlackCat can also be run on non-Windows operating systems, such as Linux. Since there are very few strains of malware that target Linux-based systems, Linux administrators may be less prepared to deal with the screen of doom than Windows administrators.

BlackCat is highly configurable. It includes a JSON file, which allows users to choose between four different encryption algorithms, customizes the ransom note, specifies which files, folders, and extensions to ignore, and specifies which services and processes should be terminated, in order to ensure that the files are encrypted properly. BlackCat can also be configured to work with domain credentials, which will better enable it to spread to other systems.

Examples of BlackCat Ransomware attacks

Given that BlackCat has only been around since the end of 2021, there are few real-life examples of BlackCat ransomware attacks. However, on January 29th, 2022, two German oil companies were hit by a ransomware attack that affected 233 gas stations across Germany. The attacks caused serious disruption and one of the largest oil and gas companies was forced to reroute supplies. It is believed that the BlackCat ransomware group was behind the attack, according to an article by ZDNet.com.

How to Protect Against BlackCat Ransomware Attacks

The methods used to protect your systems and data from BlackCat ransomware attacks are much the same as the methods used to protect against other forms of ransomware. These methods include:

Educating employees

Educating employees is another effective way to protect against BlackCat ransomware and other types of malware. When employees are aware of the risks associated with ransomware and how to recognize potential threats, they are better equipped to prevent attacks and respond appropriately if an attack occurs.

Employees should be trained to identify phishing emails, which are commonly used to distribute ransomware like BlackCat. These emails may appear to be from a legitimate source, such as a bank or a shipping company, and may contain a malicious attachment or link that, when clicked, installs the ransomware on the computer.

Employees should also be trained to avoid clicking on links or downloading attachments from unknown or suspicious sources and to be cautious when opening emails from unfamiliar senders.

Additionally, employees should be instructed on how to keep their software and antivirus programs up to date, as well as how to report any suspicious activity to IT or security personnel.

Regular security awareness training can help employees stay informed about the latest ransomware threats and best practices for preventing and responding to them. By educating employees on how to identify and avoid potential ransomware attacks, businesses can significantly reduce the risk of a BlackCat ransomware infection and other cybersecurity threats.

Encrypting sensitive data

Encrypting sensitive data is another effective way to protect against BlackCat ransomware and other types of malware. Encryption involves converting the data into a code that is difficult to decipher without the encryption key. This ensures that even if ransomware like BlackCat infects the computer and gains access to the encrypted data, it cannot be used or accessed by the attacker without the decryption key.

Sensitive data such as financial records, personal information, and business-critical files should always be encrypted. This can be done using various encryption tools, such as BitLocker for Windows or FileVault for Mac, or by using third-party encryption software.

In addition to encrypting sensitive data, businesses should also implement access controls to restrict who can view or modify the data. This can be done through user authentication and authorization processes, such as requiring strong passwords and limiting access based on job responsibilities.

By encrypting sensitive data and implementing access controls, businesses can significantly reduce the risk of a BlackCat ransomware infection and the potential impact of a successful attack. Even if the attacker gains access to the encrypted data, it will be useless without the decryption key, which should be stored securely and separately from the encrypted data.

Backing-up data

Backing up your data is one of the most effective ways to protect against BlackCat ransomware and other similar types of malware. When you back up your data, you create a copy of all your important files and store them in a separate location, such as an external hard drive, cloud storage, or a different computer.

In the event that your computer is infected with BlackCat ransomware, you can simply erase the infected files and restore your data from the backup. This means that you can recover your data without having to pay a ransom or risk losing your files permanently.

However, it is important to note that your backups must be stored in a secure location that is not connected to your computer or network. If your backup is stored on an external hard drive that is always connected to your computer, for example, it could also become infected with the ransomware and be rendered useless. Therefore, it is recommended to store backups in a location that is physically separate from your computer or use a reputable cloud storage service that offers strong security and encryption measures.

Installing updates

Installing updates is another effective way to protect against BlackCat ransomware and other types of malware. Software updates often contain security patches that address vulnerabilities that could be exploited by ransomware attackers.

When a software vulnerability is discovered, software vendors release updates to fix the issue and prevent attackers from exploiting it. These updates may include security patches, bug fixes, and new features. Failure to install these updates could leave the system vulnerable to attack.

Attackers often target outdated software, such as outdated operating systems, web browsers, and plugins. By regularly installing updates, businesses can ensure that their software is up-to-date and has the latest security patches installed. This makes it harder for attackers to exploit vulnerabilities and gain access to the system.

In addition to installing updates, businesses should also consider using automated patch management software to simplify the process of updating and securing their systems. This software can automate the installation of updates, schedule them during off-hours, and provide detailed reports on the status of the system updates.

By regularly installing updates and using automated patch management software, businesses can significantly reduce the risk of a BlackCat ransomware infection and other types of cyber-attacks.

The use of strong passwords

Attackers will seek to compromise as many users’ accounts as possible in order to encrypt the most amount of files. Having a strong password policy, or better yet, implementing multi-factor authentication will help to prevent attackers from easily gaining access to other parts of your network.

Monitoring network traffic

Monitoring network traffic is another effective way to protect against BlackCat ransomware and other types of malware. Network traffic monitoring involves analyzing the flow of data between devices on the network, including incoming and outgoing traffic.

By monitoring network traffic, IT and security teams can identify unusual patterns of traffic that may indicate a ransomware infection or other cyber-attack. For example, if there is a sudden increase in outbound traffic from a particular device, it could be a sign that the device has been infected with ransomware and is attempting to communicate with a command and control server.

Network traffic monitoring can also help identify the source of the infection and the extent of the damage. By analyzing the traffic logs, IT and security teams can identify the devices that are communicating with the infected device and determine whether the ransomware has spread to other parts of the network.

In addition to monitoring network traffic, businesses should also consider implementing intrusion detection and prevention systems (IDPS) to provide real-time alerts of potential threats. These systems can monitor network traffic and identify suspicious activity, such as attempts to exploit vulnerabilities or unauthorized access attempts.

By monitoring network traffic and using intrusion detection and prevention systems, businesses can detect and respond to ransomware attacks quickly, minimizing the impact of the attack and reducing the risk of data loss.

Monitoring file and folder activity

Use a real-time data-centric file auditing solution that will help you keep a close eye on how your files and folders are being accessed and used. As a priority, you should receive real-time alerts when documents containing non-sensitive data are encrypted. After all, if data isn’t sensitive, there should be no reason to encrypt it. Some newer solutions allow to you set up threshold conditions, and then trigger an alert or execute a custom script when the condition is met. For example, if x number of files are copied or encrypted within a given time frame, the script can disable user accounts, change the firewall settings, shut-down servers, and do any other actions that will help to stop the attack in its tracks.

Use Multi-Factor Authentication

Multi-factor Authentication (MFA) is an authentication method that uses two or more distinct mechanisms to validate a user’s identity, rather than relying on just a simple username and password combination.

Creating strong passwords is the first step and is an essential part of a healthy cybersecurity culture. Strong passwords are those that are sufficiently long, unique, and have an expiry date. Passwords should have at least 12 digits and use at least three different types of characters, i.e. upper and lower case letters, numbers, and special characters.

However, even strong passwords aren’t always enough as they can be worked out. So, the next step is to implement Multi-Factor Authentication (MFA) where two or more verification credentials are required before users can access your system.

A common multi-factor authentication element is a One-Time Password (OTP). If your password is hacked, the attacker will need to provide the OTP that your system generates and sends to a phone number, email, or any other application that you have already connected to the process. If they don’t have access to the OTP, they will be unable to log in.

How Does Lepide Help Protect Against BlackCat Ransomware?

The Lepide Data Security Platform is a comprehensive security solution that can help protect against BlackCat ransomware and other types of malware. The platform provides real-time monitoring and alerts, data discovery and classification, and information about access controls to protect sensitive data and prevent unauthorized access.

One of the key features of the Lepide Data Security Platform is its ransomware detection capabilities. The platform can monitor file activity in real-time and can detect and alert administrators of suspicious activity that may indicate a ransomware attack (such as files being renamed during an encryption event).

The platform also includes data discovery and classification tools that can identify sensitive data, such as financial records, personally identifiable information (PII), and intellectual property. Once identified, access controls can be implemented to restrict who can view, modify, or delete the data.

Additionally, the Lepide Data Security Platform includes features such as privilege escalation monitoring, user behavior analytics, and file activity monitoring to detect and respond to potential ransomware attacks in real time.

If you’d like to see how the Lepide Data Security Platform can help you prevent BlackCat ransomware attacks, schedule a demo with one of our engineers.