In November 2021, security professionals first observed a new strain of ransomware known as BlackCat (or ALPHV), targeting organizations across multiple industries worldwide. The group running BlackCat operates within the “ransomware-as-a-service” (RaaS) business model like other common ransomware groups. They effectively license their software to cybercriminals to use in ransomware attacks for a percentage of the final ransom payment.
BlackCat has proven to be highly virulent and has already victimized dozens of enterprises across the globe, demanding up to $14 million in ransom. Organizations worldwide need to protect themselves from this new threat—and the first step is understanding what BlackCat is and how it operates.
How BlackCat Operates
Today’s ransomware groups are becoming more innovative. Like REvil and DarkSide, many have adopted a “double extortion” method. These groups don’t just steal or encrypt data—they threaten to expose that data on the dark web if victims do not meet their demands. BlackCat takes this a step further, engaging in “triple extortion” by threatening to launch distributed denial-of-service (DDoS) attacks if victims do not give in to their demands. This added threat makes it more appealing to potential affiliates—as does the fact that BlackCat promises a higher percentage of the payout to those who use it.
BlackCat is a particularly sophisticated ransomware strain because it is both human-operated and command-line driven, making it difficult for traditional detection tools to alert accurately on its presence within a system. BlackCat is known to use a variety of different encryption methods and has proven adept at gaining access to networks and moving within them. To accomplish this, BlackCat almost certainly targets Active Directory (AD). Compromising AD is the default attack vector for modern ransomware attacks, giving attackers total control to move laterally within the organization, gain administrative privileges, disable security tools, and identify new information to steal, encrypt, or delete to prevent recovery.
Defending Against BlackCat
Protecting Active Directory is the most effective way to prevent BlackCat from proliferating within the network and accomplishing its goals. Unfortunately, AD sits in a dangerous security gap. Today’s Endpoint Detection and Response (EDR) solutions do not address AD protection, and Identity Access Management (IAM) solutions are focused primarily on providing access rather than restricting it. Effectively defending AD requires a multipronged approach that includes hardening, detecting reconnaissance activity and other indicators of compromise (IoCs), and preventing domain compromise. Identity Detection and Response (IDR) is a relatively new cybersecurity category, but it has quickly become essential. IDR tools help fill the gap left by EDR and IAM, delivering network visibility and the ability to detect credential theft and misuse as well as attempts to enumerate Active Directory.
With ransomware like BlackCat spreading, Identity Detection and Response tools become critical components for a business’s security stack. IDR solutions can secure credentials and AD objects while reducing the attack surface through exposure visibility tools. These can help defenders remove exposures that an attacker would otherwise attempt to leverage. Live attack detection controls for AD are also critical, enabling defenders to identify attack activities such as mass account changes, password spray attacks, dangerous delegation, or domain replications activities. The correct identity security tools can make it impossible for the attacker to move about the network without detection—regardless of the code or techniques they may be using.
The Attivo Networks identity security portfolio provide these capabilities. The ADAssessor solution reduces the Active Directory attack surface by identifying exposures for remediation, such as exposed ACLs, incorrect settings, or insecure parameters. The ADSecure solution provides live attack detection from endpoints and domain controllers, while the ThreatPath solution reduces the identity attack surface at the endpoints.
The Endpoint Detection Net (EDN) suite detects ransomware attacks via credential theft and behavioral analysis. It monitors for IoCs like file encryption, entropy changes, registry changes, process or service termination, and others and alerts when it detects such activity. The suite can mitigate malicious activities by blocking all input-output operations and terminating the process. It can also provide volume backup of endpoint data and prevent ransomware from deleting backup files created using Windows VSS, which is particularly important as attackers target backups with increased regularity. Additionally, the EDN DataCloak function prevents ransomware from accessing critical data. It hides and prevents attackers from seeing or accessing information like files, folders, and storage locations, making their lives much more difficult. The right security tools can frustrate an attacker looking for a quick score—and that is often enough to convince them to look elsewhere for an easier victim.
Defend Against Ransomware by Closing Known Security Gaps
Attackers are constantly innovating. There will always be new ransomware tools designed to circumvent endpoint defense systems and evade the notice of IAM tools. Since it is impossible to stop 100% of attacks, the best protection (beyond not clicking suspicious links or enabling macros, of course) is to implement security solutions that can detect lateral movement and other potential attack activities within the network itself. Attackers will always use reconnaissance to identify high-value targets and steal the credentials they need to escalate their privileges. They will also continue to exploit Active Directory to gain the control they need to encrypt systems, change security settings, delete backups, and cover their tracks. Preventing attackers from moving between systems and protecting AD is the best defense against BlackCat and other forms of ransomware—and that is unlikely to change anytime soon. Traditional security controls do not provide this level of protection—but IDR offers enterprises a new way to thwart attackers hoping to exploit one of today’s most common security gaps.