BlackCat ransomware was first observed in 2021 and developed with the Rust programming language. RaaS (Ransomware-as-a-Service) operators aim to ensure persistence by gaining unauthorized access to multiple systems on the target network before ransomware activities. How BlackCat ransomware infects victims differ according to the techniques and tactics of RaaS operators. For example, It is known that the FIN12 threat group, which organizes ransomware campaigns such as Ryuk, Hive, and Conti, has been one of the BlackCat operators since March 2022. BlackCat ransomware is also distributed by the DEV-0504 threat group, which uses the Stealbit malware of the LockBit threat group. The DEV-0504 threat group is known to use BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk ransomware.
The Microsoft Exchange Server vulnerabilities used in the said attack campaign are as follows;
- CVE-2021-26855
- CVE-2021-26858
- CVE-2021-26857
- CVE-2021-27065
Using ransomware with different versions in attack campaigns significantly increases the risk of institutions and organizations encountering BlackCat-like malware. In this context, in order not to be the target of similar ransomware attacks;
- Beware of untrusted e-mail content,
- Not opening additional files/links of suspicious sender mail addresses,
- Using reliable Anti-Malware solutions
- Using licensed and current technologies,
- It is recommended to block shared IoC findings related to the malware campaign by security solutions.
