Cyber threat actors have been found to launch attack campaigns by exploiting vulnerable Microsoft Exchange servers to spread BlackCat ransomware. After gaining access to vulnerable Microsoft Exchange servers, BlackCat ransomware was found to be distributed to target systems with the PsExec tool. In this way, threat actors infiltrate target systems, obtain critical identity data of users and carry out “double extortion” activities. Double Extortion is the name given to cases where threat actors threaten to leak data or publish some of it on the Internet, even if the ransom is paid in ransomware-infected organizations.
BlackCat ransomware was first observed in 2021 and developed with the Rust programming language. RaaS (Ransomware-as-a-Service) operators aim to ensure persistence by gaining unauthorized access to multiple systems on the target network before ransomware activities. How BlackCat ransomware infects victims differ according to the techniques and tactics of RaaS operators. For example, It is known that the FIN12 threat group, which organizes ransomware campaigns such as Ryuk, Hive, and Conti, has been one of the BlackCat operators since March 2022. BlackCat ransomware is also distributed by the DEV-0504 threat group, which uses the Stealbit malware of the LockBit threat group. The DEV-0504 threat group is known to use BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk ransomware.
The Microsoft Exchange Server vulnerabilities used in the said attack campaign are as follows;
Using ransomware with different versions in attack campaigns significantly increases the risk of institutions and organizations encountering BlackCat-like malware. In this context, in order not to be the target of similar ransomware attacks;
- Beware of untrusted e-mail content,
- Not opening additional files/links of suspicious sender mail addresses,
- Using reliable Anti-Malware solutions
- Using licensed and current technologies,
- It is recommended to block shared IoC findings related to the malware campaign by security solutions.