BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers

Pierluigi Paganini June 16, 2022

The BlackCat ransomware gang is targeting unpatched Exchange servers to compromise target networks, Microsoft warns.

Microsoft researchers have observed BlackCat ransomware gang targeting unpatched Exchange servers to compromise organizations worldwide.

The compromise of Exchange servers allows threat actors to access the target networks, perform internal reconnaissance and lateral movement activities, and steal sensitive documents before encrypting them.

“For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).” reads the post published by Microsoft 365 Defender Threat Intelligence Team.

blackcat ransomware exchange

In one of the attacks observed by Microsoft, threat actors started lateral movements two and a half days after the initial compromise. The ransomware operators signed into one of the target devices discovered during their initial reconnaissance using compromised credentials via interactive sign-in. Then they opted for a credential theft technique that didn’t rely tools like Mimikatz because they are easy to detect. The attackers created a dump file of the LSASS.exe process via Taskmgr.exe and saved the file to a ZIP archive.

The continues the discovery phase using a PowerShell script version of ADRecon (ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD) environment. Then the attackers attempt to connect devices using server message block (SMB) and remote desktop protocol (RDP).

“For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.” continues the analysis. “These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.”

BlackCat ransomware operators used both MEGAsync and Rclone for data exfiltration, they renamed them as legitimate Windows process names (for example, winlogon.exemstsc.exe) to avoid raising suspicion.

The ransomware payload is deployed two weeks from the initial compromise, often the attackers distributed of the payload using PsExec.exe.

The ALPHA/BlackCat gang has been active since at least December 2021 when malware researchers from Recorded Future and MalwareHunterTeam discovered their operation. The ALPHA/BlackCat is the first professional ransomware strain that was written in the Rust programming language.

BlackCat can target Windows, Linux, and VMWare ESXi systems, but at this time the number of victims is limited. The popular malware researcher Michael Gillespie said that the BlackCat ransomware is “very sophisticated.

Recorded Future experts speculate that the author of the BlackCat ransomware, known as ALPHV, was previously involved with the REvil ransomware operations.

ALPHV has been advertising the BlackCat Ransomware-as-a-Service (RaaS) on the cybercrime forums XSS and Exploit since early December. Like other ransomware groups, the gang also implements a double-extortion model, threatening to leak the stolen data if the victims don’t pay.

Recently, the ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will make data indexable by search engines, increasing the potential impact on the victims due to the public availability of the stolen data.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Blackcat ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment