After a spate of recent attacks, the infamous BlackCat ransomware could be about to get much nastier, new research claims.
A report from Sophos has said that the threat actors behind the ransomware now appear to have added the Brute Ratel tool to their arsenal, making the tool much more dangerous.
Brute Ratel is a penetration test and attack simulation tool, similar but less well known than, say, Cobalt Strike.
Target legacy systems
“What we’ve been seeing lately with BlackCat and other attacks is that threat actors are very efficient and effective at their jobs. They use proven methods, such as attacking vulnerable firewalls and VPNs, because they know they still work. But they show innovation to avoid security defenses like switching to the newer post-exploit C2 framework Brute Ratel in their attacks,” said (opens in new tab) Christopher Budd, senior threat research manager, Sophos.
Brute Ratel is not the only tool being used as when analyzing past incidents BlackCat was observed using other open source and commercially available tools to create additional backdoors and other remote access alternatives such as TeamViewer or nGrok . Of course, Cobalt Strike was also used.
Usually BlackCat operators look for outdated firewalls (opens in new tab) and unpatched VPN services, as their first access point. Since December 2021, they have successfully infiltrated at least four organizations by exploiting vulnerabilities in firewalls.
Once they gain network access, they use the firewalls to extract the credentials and move freely sideways through the system.
BlackCat does not appear to have a bias towards certain victims, as the threat targets companies in the US, Europe and Asia.
The only condition for an attack is that the company is operating on end-of-life systems, lacking multi-factor authentication or VPNs, and using flat networks (where each endpoint has visibility into all other endpoints on the network).
“The common denominator of all these attacks is that they were easy to execute. In one case, the same BlackCat attackers installed cryptominers a month before launching the ransomware. This latest research shows the importance of following established security best practices; they still have a lot of power to prevent and thwart attacks, including multiple attacks on a single network.”