Ransomware Prevention: Protect your organization from BlackCat Ransomware attacks

Where there is value for organizations online, there will be a cybercriminal ready with a ransomware attack to exploit it. 

Since they first emerged in December of 2021, BlackCat Ransomware has become another example of a ring of cybercriminals who practice the model of Ransomware-as-a-Service (RaaS) to wreak havoc on organizations. This is an article about who they are, what they do, how they perform their ransomware attacks and what you can do to protect your organization from this form of ransomware.

What is BlackCat Ransomware? 

The ALPHV group, or BlackCat, is a group of ransomware creators. Their “business model” is based on the deal that they give other attackers access to their infrastructure and malicious malware and, in turn, they receive a portion of the successfully traded ransom. Black cat ransomware gang members are likely in charge of the negotiations with the victims of their attacks. The majority of RaaS providers let their partners keep about 70% of their earnings. The commissioners, meanwhile, can expect to receive 80–90% profit with BlackCat. 

This means the only thing lacking from their “one-stop shop” business model is access to the exact corporate environment they intend to attack. However, their malware has already been used in successful ransomware attacks around the globe, which means finding access for them is not a deterrent. According to the FBI FLASH notice circa April 2022, the operation had infected more than 60 persons in six months. 

How does BlackCat Ransomeware work? 

Along with its profit incentive, BlackCat has a loaded lineup of malicious tools, with features that make it difficult for victims to overcome a ransomware attack. For example, it’s written in Rust, its ransomware attacks use different tools and strategies depending on the attack. Let’s explore the way it works and how each of these adds to its attractiveness for those looking to host a ransomware attack. 

For one thing, BlackCat is the first ransomware written in Rust. The use of a new language for its payload means the ransomware can avoid detection. This is particularly evasive from traditional security solutions that may not be as updated in their capacity to analyze and interpret binaries generated in the new forms of these languages. This also yields BlackCat the ability to target a variety of hardware and operating systems with their cross-platform tool of the same name. Microsoft has noted successful assaults on Linux devices, Windows and VMware instances. The more devices and operating systems they can attack, the more they have to gain and the more the rest of us have to lose.

Secondly, BlackCat is thought to have been rebranded from a previous ransomware group, meaning it will already have connections to systems in the game. The Fendr utility is specifically what organizations must protect themselves from. This is what BlackCat uses to exfiltrate data from infected infrastructure. This suggests a resurfacing of old ransomware attack groups, such as the BlackMatter faction (also known as ExMatter) who were, the only known gang to utilize this tool. For lateral movement within the victim’s network, BlackCat also makes use of the PsExec tool, Mimikatz, an infamous hacker software and Nirsoft software to steal network passwords and gain full access. With the three separate tools for different functions, anomalies may be dismissed, or see a lack of detection since this means less of each function to detect, and a shorter window to do so.

However, it is worth noting that depending on the partner player in each attack, the ransomware group will change the attack strategy. Thus, it is best to be ready.

On a technical level, BlackCat emphasizes and exploits the following five vulnerabilities: 

CVE-2016-0099 (High), CVE-2019-7481 (High), CVE-2021-31207 (High), CVE-2021-34473 (Critical), and CVE-2021-34523 (Critical). CVE-2021-34473 and CVE-2021-34523, found in Microsoft Exchange Server, both require immediate remediation. They are more dangerous due to the way these cause potential use in vulnerability chaining attacks, and because they have multiple known threat actor associations. The more access, the higher the risk.

Why is it important to have ransomware protection in my organization?

In the event of a ransomware attack, a company without any protection in place can find itself facing the music of many negative effects. In the event an organization is attacked by BlackCat, paying its ransom will mean company resources will be spent to retrieve critical business data from attackers. It also will show the attackers that this is a vulnerable target and that they may continue to negotiate the ransom if attacked again. However, should the organization refuse payment or acknowledge the ransomware attack, the organization could be handing its network over to cybercriminals, who could then leak sensitive data, which could turn into the organization’s reputation soiled, data leaked and lawsuits filed.

Even if the organization decides to cooperate, play things by the book and pay the ransom, there is still no guarantee that the systems will be released. The data is not safe in the hands of cybercriminals, who don’t come ready to guarantee that they won’t leak the data they’ve collected. With all of these uncertain scenarios, it is essential to have a mitigative cybersecurity plan. With the proper tools in place, organizations avoid being in the Catch-22 where they have to make that choice. 

How can I protect my organization from BlackCat Ransomware and other ransomware attacks?

While there is no guarantee, certain tools can grant immunity from a ransomware attack, in the same way, a shot will boost immunity from a viral infection in the human body. It is best to have a proactive ransomware strategy that is customizable to your needs as an organization and will protect your data at all times in its lifecycle.

Protecting your organization from ransomware attacks required a three part strategy i.e. Prevention/detection solutions, Backup/recovery solutions, and equally important – data security that prevents exfiltration of unencrypted data. With prevention and detection tools enterprises can prevent or catch a portion of ransomware before it causes damage. With backup and recovery tools organizations can bring systems back up after an attack without giving into ransom demands. The third one is critically important because it ensures that exfiltrated data cannot be used to extort victims, their customers, partners, employees and board members! This is where Portal26 comes in.

Cybersecurity tools, such as Portal26 Suite, are easy to use and are very effective in reducing the blast radius of  ransomware attacks. Portal26 Suite boasts several features that grant organizations immunity to cyberattacks while not requiring the organization to change its current infrastructure.

In fact, Portal26 is the only data protection solution on the market that dramatically reduces valuable compromise  in the event of a BlackCat attack, even if attackers successfully breach the organization and leave with it. Portal26 utilizes strong encryption on valuable data, both structured and unstructured, but keeps the encryption on even while the data is in active use and even if it is accessed by privileged users such as administrators. In the case of structured data, Portal26 supports full featured queries including full text search and as well as rich analytics without data decryption. For both structured and unstructured data, encryption is retained all the way until an actual user needs to review data on a UI but it is not persisted. 

Portal26 is the industry’s most advanced data security platform that breaks free of historic data security limitations and provides a solution that preserves the strength of traditional encryption and tokenization while removing the traditional challenges around performance and rich data usability .

Portal26 products that can aid in BlackCat protection include: 

Portal26 FileShare Security: Portal26 provides always-on encryption for file servers and other file sharing platforms. Portal26 ensures that all files are always secured with NIST FIPS 140-2 validated strong encryption and unencrypted data is not available directly from the file share regardless of privilege. Since data is encrypted before it lands, ransomware actors cannot access unencrypted data even if they are inside the firewall and moving laterally without restriction. Data release is strongly governed via policy, can be released in a number of private formats, can be rate limited, and plugged into other access controls as required.   

Portal26 Object Store Proxy: Portal26 Proxy provides transparent application level NIST FIPS 140-2 validated encryption for cloud object stores. Whereas native cloud platform encryption secures data from compromise on the cloud provider, encrypting with Portal26 ensures ransomware protection and complete data security if the enterprise themselves are victims of an attack. Portal26 supports privacy-enabled data release in nine secure and private formats as well as full-featured searches on encrypted data. The Portal26 Proxy bolts onto the non-extensible legacy, or fragile, systems and transparently directs sensitive data in and out according to security or privacy policy. Portal26 Proxy is available for both AWS and Azure environments.

Portal26 Vault: Portal26 Vault is a stand-alone data vault that canstore and analyze structured and unstructured data all while retaining strong NIST FIPS140-2 encryption, without decrypting data at any time including in memory or under the hood. . With backup in place and strong encryption-in-use, Portal26 Vault is immune to cyberattacks including ransomware. The Portal26 Vault also wins against traditional tokenization solutions by providing all the capabilities of tokenization with the added benefit of rich data usability. If used for tokenization, the Portal26 Vault can secure any type of existing datastore or existing applications and also to build ground-up systems that are natively immune to data compromise. Data can be released from the Vault in nine different privacy-preserving formats so that downstreams systems are also protected from ransomware attacks and insider threats. 

Portal26 Plugin: Portal26 Plugin protects sensitive data inside major enterprise search platforms without limiting full-featured search capabilities or deprecating search performance. Portal26 Plugin is available for all versions of Elasticsearch, OpenDistro, and OpenSearch on AWS/Azure. The Portal26 plugin can be up and running on enormous big data clusters within hours. Data inside the Portal26-protected platforms cannot be exfiltrated in clear text, even if the cluster is compromised during a ransomware attack, insider attack,  or left exposed by accident.

Portal26 API/Translation service: Portal26’s API service can stand alone or integrate with any of the other Portal26 products to yield a high-performing data translation service. The Portal26 Translation Service can be used independently to make existing applications resistant to ransomware and other data related cyberattacks. It can also ensure  that protected data leaving other Portal26 products can be easily translated into clear text or other private formats by downstream applications. From the nine secure and private formats (including searchable encryption) and types of data including keywords, text, numbers, dates, IP Addresses, Binary and PII-specific data types, the Portal26 API enables other Portal26-protected systems to be completely locked down, aligned with the Zero Trust Data security standard.

Portal26 Studio: Finally, the Studio provides an interface for managing other Portal26 products. It provides dashboards, reports, and granular compliance certifications in the event of a successful attack. Uniquely, the Portal26 Studio gives CISOs critical post-attack documentation as they can use Portal26 Studio reports as auditable evidence that their data retained encryption throughout the attack. 

Highlights of the product’s capabilities include: 

• Protection from the most common and highly damaging types of ransomware attacks involving data exfiltration. These include large scale unstructured and structured data exfiltration using privileged credentials. 
• Strong security benefits without performance penalty. Portal26’s data ingest overhead is under 5% when compared to clear text and Portal26 runs search with 0% overhead. Depending on the volume of data, the storage overheads are typically 15%. Homomorphic encryption, the closest comparable solution, suffers from exceedingly large compute (500% overhead) and storage (10,000% overhead) requirements. 
• Portal26’s ability to release data in an application-friendly manner minimizes the need for application changes.
• Portal26 has been built to perform at an enormous data scale without loss of performance, handling petabytes of data and millions of keys with ease. 
• Portal26 provides post-attack support for those who suffer a cyber attack. Uniquely, in the event of a ransomware attack, the software provides a report with visibility into any data that was observed, accessed, or exfiltrated. This offers auditable evidence that the data retained encryption. This helps avoid ransom payouts and also reduces liability, penalty, and notification obligations for regulated industries, private companies, and all who have a duty to their users to protect data. 

Protect your organization from BlackCat Ransomware attacks Today

Do not wait until it is too late, allow Portal26 to help you!

Schedule a Demo >