FBI warns Rust-based ransomware has breached over 60 organisations

The Federal Bureau of Investigation (FBI) has warned of BlackCat ransomware-as-a-service (RaaS) which it believes has compromised at least 60 entities around the world since last November.

BlackCat has been recruiting new affiliates since late 2021 and targeting organisations across multiple sectors across the world, according to Varonis Threat Labs. It has actively recruited former REvil, BlackMatter, and DarkSide operators and increased its activity since November 2021. Varonis found that it offers lucrative affiliate payouts, up to 90%, and uses a Rust-based ransomware executable. The group’s leak site also named over 20 victim organisations since January 2022, although the data security firm predicted that the total number of victims was likely to be greater.

The FBI released an alert earlier this month where it found that BlackCat, also known as ALPHV or Noberus, has compromised at least 60 entities worldwide through RaaS as of March 2022. It said it’s the first ransomware group to do so successfully using Rust, a programming language that offers high performance and improved safety features.

The advisory stated that the ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware utilises Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.

The initial deployment of the malware leverages PowerShell scripts, along with Cobalt Strike, and disables security features within the victim’s network. The ransomware also uses Windows administrative tools and Microsoft Sysinternals tools during compromise. BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored. 

“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount,” stated the FBI in the advisory. “Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter,…