BlackCat ransomware could be about to get a whole lot nastier

Following a spate of recent attacks, the notorious BlackCat ransomware could be about to get a whole lot nastier, new research has claimed.

A report from Sophos has said that the threat actors behind the ransomware now appear to have added the Brute Ratel tool to their arsenal, making the tool that much more dangerous.

Brute Ratel is a penetration testing and attack simulation tool, similar but lesser-known that, for example, Cobalt Strike. 

Targeting outdated systems

“What we’re seeing with BlackCat and other attacks recently is that threat actors are very efficient and effective in their work. They use tried and true methods, like attacking vulnerable firewalls and VPNs, because they know these still work. But they show innovation to avoid security defenses, like switching to the newer post-exploitation C2 framework Brute Ratel in their attacks,” said (opens in new tab) Christopher Budd, senior manager, threat research, Sophos.

Brute Ratel is not the only tool being used, as when analyzing previous incidents, BlackCat was observed using other open-source and commercially available tools to create additional backdoors and other remote access alternatives, such as TeamViewer, or nGrok. Obviously, Cobalt Strike was also used. 

Usually, BlackCat operators would look for outdated firewalls (opens in new tab) and unpatched VPN services, as their initial point of entry. Since December 2021, they’ve managed to successfully infiltrate at least four organizations, by exploiting vulnerabilities in firewalls. 

Once they obtain network access, they’ll use the firewalls to extract the credentials, and freely move laterally throughout the system. 

BlackCat doesn’t appear to favor any particular victims, with the threat targeting businesses in the US, Europe, and Asia. 

The only pre-requisite for an attack is that the business operates on systems that have reached end-of-life, don’t have multifactor authentication or VPNs, and use flat networks (where every endpoint has visibility into all other endpoints on the network). 

“The common denominator with all these attacks is that they were easy to carry out. In one instance, the same BlackCat attackers installed cryptominers a month before launching the ransomware. This latest research highlights how important it is to follow established best security practices; they still have a lot of power to prevent and thwart attacks, including multiple attacks against a single network.”