BlackCat Ransomware Attacks: Threat Actors Use Brute Ratel and Cobalt Strike Beacons for Advanced Intrusions

Cybersecurity researchers have revealed a wave of new activity of the notorious BlackCat ransomware group deploying custom malware binaries for more sophisticated intrusions. In the latest attacks, threat actors have been leveraging Cobalt Strike beacons and a new penetration testing tool dubbed Brute Ratel, installing the latter as a Windows service on the compromised machines. 

Detect BlackCat Ransomware Attacks

To keep abreast of the ever-changing threat landscape and effectively withstand attacks that are growing in volumes and sophistication, global organizations are looking for ways to boost their cyber defense capabilities. With ransomware remaining a rising trend in the cyber threat landscape in 2021-2022, cybersecurity practitioners strive to protect against related threats. SOC Prime’s Detection as Code platform has recently released a new Sigma rule to detect a Brute Ratel malicious tool deployed in the latest BlackCat ransomware operations. Sign up or log into SOC Prime’s platform to access the detection written by our prolific Threat Bounty developer Kyaw Pyiyt Htet (Mik0yan):

Possible Brute Ratel Named Pipe Creation in BlackCat Ransomware Operation (via Pipe_Event)

Seasoned and promising cyber defenders with a keen flair for cybersecurity and ambitions for self-advancement are welcome to join our Threat Bounty Program to craft detection algorithms, share them with industry peers, gain recognition, and earn financial rewards for their contributions. 

The Sigma rule above can be applied across 18 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform. To ensure enhanced visibility into related threats, the detection is aligned with the MITRE ATT&CK® framework addressing the Process Injection (T1055) technique from the Defense Evasion tactic repertoire. Cybersecurity practitioners can also instantly hunt for threats associated with the BlackCat ransomware operations using the above-mentioned Sigma rule via SOC Prime’s Quick Hunt module

SOC Prime’s platform curates the entire list of detection algorithms to help organizations timely identify the BlackCat ransomware activity in their environment. To gain access to the dedicated toolkit, click the Detect & Hunt button. Alternatively, Threat Hunters, Cyber Threat Intelligence specialists, and other cyber defenders can instantly explore the comprehensive threat context behind BlackCat ransomware operations even without registration. Click the Explore Threat Context button to reach insightful contextual information, including MITRE ATT&CK references, CTI links, and Windows executable binaries linked to the Sigma rules that accompany your search for related threats.

Detect & Hunt Explore Threat Context

BlackCat Analysis: The Latest Updates

After it first emerged in November 2021, BlackCat (aka Alphv) promptly self-declared as a new ransomware-as-a-service (RaaS) leader, driving a lot of attention due to its unusual Rust coding language, sophisticated malicious capabilities, and generous offering for the affiliates to keep 90% of the ransom payments. Security researchers believe BlackCat might be the successor to DarkSide or BlackMatter ransomware groups suggesting a complex skill set of its operators.

The latest investigation by Sophos reveals that BlackCat maintainers keep enhancing the malware strain with new tricks. Threat actors typically rely on unpatched or outdated firewalls or VPN services to get an initial foothold on the exposed networks or grab VPN creds to log in as authorized users. 

Upon the infection, various open source and commercially available tools are leveraged to boost the remote access capabilities of BlackCat. Particularly, the analysis of the latest intrusions shows that threat actors utilized TeamViewer, nGrok, Cobalt Strike, and Brute Ratel to ensure alternative access routes. According to Sophos, the Brute Ratel pentesting suite with Cobalt Strike-like features is the latest acquisition to enhance post-exploitation capabilities while flying under the radar.

While adding to the BlackCat notoriety, the ransomware operators become bolder issuing higher ransom demands for its victims. The gang typically goes for high-profile targets, including OilTanking GmbH, Swissport, Florida International University, and the University of North Carolina A&T. The ransom demands have grown in time, now reaching $2,5M, with a possible 50% discount in the case of a quick payment.

With an increasing number of trends and more sophisticated intrusions, ransomware is considered to be the top challenge for most organizations in 2021, including large-scale enterprises. Register for SOC Prime’s Detection as Code platform and reach the collection of 200,000 + detection algorithms to identify and proactively defend against emerging threats. 

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts