Cyber threat actors have been found to launch attack campaigns by exploiting vulnerable Microsoft Exchange servers to spread BlackCat ransomware. After gaining access to vulnerable Microsoft Exchange servers, BlackCat ransomware was found to be distributed to target systems with the PsExec tool. In this way, threat actors infiltrate target systems, obtain critical identity data of users and carry out “double extortion” activities. Double Extortion is the name given to cases where threat actors threaten to leak data or publish some of it on the Internet, even if the ransom is paid in ransomware-infected organizations.

BlackCat ransomware was first observed in 2021 and developed with the Rust programming language. RaaS (Ransomware-as-a-Service) operators aim to ensure persistence by gaining unauthorized access to multiple systems on the target network before ransomware activities. How BlackCat ransomware infects victims differ according to the techniques and tactics of RaaS operators. For example, It is known that the FIN12 threat group, which organizes ransomware campaigns such as Ryuk, Hive, and Conti, has been one of the BlackCat operators since March 2022. BlackCat ransomware is also distributed by the DEV-0504 threat group, which uses the Stealbit malware of the LockBit threat group. The DEV-0504 threat group is known to use BlackMatter, Conti, LockBit 2.0, Revil, and Ryuk ransomware.

The Microsoft Exchange Server vulnerabilities used in the said attack campaign are as follows;

CVE-2021-26855
CVE-2021-26858
CVE-2021-26857
CVE-2021-27065

Using ransomware with different versions in attack campaigns significantly increases the risk of institutions and organizations encountering BlackCat-like malware. In this context, in order not to be the target of similar ransomware attacks;

Beware of untrusted e-mail content,
Not opening additional files/links of suspicious sender mail addresses,
Using reliable Anti-Malware solutions
Using licensed and current technologies,
It is recommended to block shared IoC findings related to the malware campaign by security solutions.

Blackcat blackcat ransomware Microsoft

BlackCat Ransomware Is Targeted Vulnerable Microsoft Exchange Servers

BlackCat Ransomware Is Targeted Vulnerable Microsoft Exchange Servers

European Focused Threat Actors – Who Actively Continue Their Strategies

Critical 0-Day Alarm in Microsoft Exchange Server

European Focused Threat Actors – APT Groups

Multiple Vulnerabilities Detected in Solarwinds Orion

Security News – Week 39

Zebrocy Malware Technical Analysis Report

Related Posts

Critical 0-Day Alarm in Microsoft Exchange Server

Multiple Vulnerabilities Detected in Solarwinds Orion

Critical RCE Alarm in Sophos Firewall Solutions

AffectMe: The Critical Vulnerability in Oracle Cloud Infrastructure

We know what hackers know about you

Solutions

Use Case

Partners

Company