BlackCat Ransomware Attacks: Threat Actors Use Brute Ratel and Cobalt Strike Beacons for Advanced Intrusions
- Akira Ransomware Detection: Joint Cybersecurity Advisory (CSA) AA24-109A Highlights Attacks Targeting Businesses and Critical Infrastructure in North America, Europe, and Australia - 19.04.2024
- UAC-0184 Abuses Messengers and Dating Websites to Proceed with Attacks Against Ukrainian Government and Military - 18.04.2024
- CVE-2024-3400 Detection: A Maximum Severity Command Injection PAN-OS Zero-Day Vulnerability in GlobalProtect Software - 17.04.2024
Table of contents:
Cybersecurity researchers have revealed a wave of new activity of the notorious BlackCat ransomware group deploying custom malware binaries for more sophisticated intrusions. In the latest attacks, threat actors have been leveraging Cobalt Strike beacons and a new penetration testing tool dubbed Brute Ratel, installing the latter as a Windows service on the compromised machines.
Detect BlackCat Ransomware Attacks
To keep abreast of the ever-changing threat landscape and effectively withstand attacks that are growing in volumes and sophistication, global organizations are looking for ways to boost their cyber defense capabilities. With ransomware remaining a rising trend in the cyber threat landscape in 2021-2022, cybersecurity practitioners strive to protect against related threats. SOC Prime’s Detection as Code platform has recently released a new Sigma rule to detect a Brute Ratel malicious tool deployed in the latest BlackCat ransomware operations. Sign up or log into SOC Prime’s platform to access the detection written by our prolific Threat Bounty developer Kyaw Pyiyt Htet (Mik0yan):
Possible Brute Ratel Named Pipe Creation in BlackCat Ransomware Operation (via Pipe_Event)
Seasoned and promising cyber defenders with a keen flair for cybersecurity and ambitions for self-advancement are welcome to join our Threat Bounty Program to craft detection algorithms, share them with industry peers, gain recognition, and earn financial rewards for their contributions.
The Sigma rule above can be applied across 18 SIEM, EDR, and XDR solutions supported by SOC Prime’s platform. To ensure enhanced visibility into related threats, the detection is aligned with the MITRE ATT&CK® framework addressing the Process Injection (T1055) technique from the Defense Evasion tactic repertoire. Cybersecurity practitioners can also instantly hunt for threats associated with the BlackCat ransomware operations using the above-mentioned Sigma rule via SOC Prime’s Quick Hunt module.
SOC Prime’s platform curates the entire list of detection algorithms to help organizations timely identify the BlackCat ransomware activity in their environment. To gain access to the dedicated toolkit, click the Detect & Hunt button. Alternatively, Threat Hunters, Cyber Threat Intelligence specialists, and other cyber defenders can instantly explore the comprehensive threat context behind BlackCat ransomware operations even without registration. Click the Explore Threat Context button to reach insightful contextual information, including MITRE ATT&CK references, CTI links, and Windows executable binaries linked to the Sigma rules that accompany your search for related threats.
Detect & Hunt Explore Threat Context
BlackCat Analysis: The Latest Updates
After it first emerged in November 2021, BlackCat (aka Alphv) promptly self-declared as a new ransomware-as-a-service (RaaS) leader, driving a lot of attention due to its unusual Rust coding language, sophisticated malicious capabilities, and generous offering for the affiliates to keep 90% of the ransom payments. Security researchers believe BlackCat might be the successor to DarkSide or BlackMatter ransomware groups suggesting a complex skill set of its operators.
The latest investigation by Sophos reveals that BlackCat maintainers keep enhancing the malware strain with new tricks. Threat actors typically rely on unpatched or outdated firewalls or VPN services to get an initial foothold on the exposed networks or grab VPN creds to log in as authorized users.
Upon the infection, various open source and commercially available tools are leveraged to boost the remote access capabilities of BlackCat. Particularly, the analysis of the latest intrusions shows that threat actors utilized TeamViewer, nGrok, Cobalt Strike, and Brute Ratel to ensure alternative access routes. According to Sophos, the Brute Ratel pentesting suite with Cobalt Strike-like features is the latest acquisition to enhance post-exploitation capabilities while flying under the radar.
While adding to the BlackCat notoriety, the ransomware operators become bolder issuing higher ransom demands for its victims. The gang typically goes for high-profile targets, including OilTanking GmbH, Swissport, Florida International University, and the University of North Carolina A&T. The ransom demands have grown in time, now reaching $2,5M, with a possible 50% discount in the case of a quick payment.
With an increasing number of trends and more sophisticated intrusions, ransomware is considered to be the top challenge for most organizations in 2021, including large-scale enterprises. Register for SOC Prime’s Detection as Code platform and reach the collection of 200,000 + detection algorithms to identify and proactively defend against emerging threats.
