IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FBI warns Rust-based ransomware has breached over 60 organisations

The agency has issued an alert warning that the new ransomware has impacted at least 60 global organisations since last November

The Federal Bureau of Investigation (FBI) has warned of BlackCat ransomware-as-a-service (RaaS) which it believes has compromised at least 60 entities around the world since last November.

BlackCat has been recruiting new affiliates since late 2021 and targeting organisations across multiple sectors across the world, according to Varonis Threat Labs. It has actively recruited former REvil, BlackMatter, and DarkSide operators and increased its activity since November 2021. Varonis found that it offers lucrative affiliate payouts, up to 90%, and uses a Rust-based ransomware executable. The group's leak site also named over 20 victim organisations since January 2022, although the data security firm predicted that the total number of victims was likely to be greater.

The FBI released an alert earlier this month where it found that BlackCat, also known as ALPHV or Noberus, has compromised at least 60 entities worldwide through RaaS as of March 2022. It said it’s the first ransomware group to do so successfully using Rust, a programming language that offers high performance and improved safety features.

The advisory stated that the ransomware leverages previously compromised user credentials to gain initial access to the victim’s system. Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware utilises Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.

Related Resource

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Whitepaper cover with over-layered graphics of laptop, folder, file and skull/malware imagesFree Download

The initial deployment of the malware leverages PowerShell scripts, along with Cobalt Strike, and disables security features within the victim’s network. The ransomware also uses Windows administrative tools and Microsoft Sysinternals tools during compromise. BlackCat/ALPHV steals victim data before the execution of the ransomware, including from cloud providers where company or client data was stored. 

“BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount,” stated the FBI in the advisory. “Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.”

The agency is seeking any information that can be shared, including IP logs showing callbacks from foreign IP addresses, Bitcoin, or Monero addresses. It’s also searching for transaction IDs, communications with the threat actors, the decryptor file, and a sample of an encrypted file.

The law enforcement agency doesn’t recommend paying ransoms although it understands that some organisations may do so to protect shareholders, employees, and customers. Even if an organisation pays the ransom, the FBI has urged victims to report ransomware incidents to their local FBI office. It also suggested that organisations review their domain controllers, regularly backup data offline, and implement network segmentation.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022