Microsoft has identified a new variant of the BlackCat ransomware [1] [2] [5] [6], known as BlackCat 3.0 [2]. This advanced ransomware incorporates tools like Impacket and RemCom for lateral movement and remote code execution [1] [3] [4] [5] [6]. It has also been found to include compromised target credentials for further ransomware deployment. BlackCat 3.0 is considered one of the most advanced and top-tier ransomware groups by Microsoft. IBM Security X-Force has also disclosed an updated version of BlackCat called Sphynx [1] [3] [4] [5] [6], which functions as a toolkit with more than just ransomware capabilities. Additionally, the BlackCat ransomware group has released a data leak API to increase the visibility of their attacks [5] [6]. The Cuba ransomware threat group has been observed using a comprehensive attack toolset [1] [3] [5] [6], targeting vulnerabilities such as CVE-2020-1472 and CVE-2023-27532 [1] [3] [4] [5] [6], as well as exploiting the Veeam Backup & Replication software vulnerability [5]. Ransomware attacks are evolving [1] [3] [4], with some groups shifting from encryption to exfiltration and ransom [5], or resorting to triple extortion tactics [4] [5]. Managed service providers (MSPs) have also become targets [1] [3] [4] [5] [6], with threat actors abusing legitimate RMM software [3]. In response to these threats, the U.S. [1] [3] [4] [5] [6] government has released a Cyber Defense Plan to mitigate risks to the RMM ecosystem [1] [3] [4] [5] [6].
Description
Microsoft has discovered a new variant of the BlackCat ransomware [1] [2] [5] [6], known as BlackCat 3.0 [2]. This variant incorporates advanced tools like Impacket and RemCom for lateral movement and remote code execution [1] [3] [4] [5] [6]. It also includes compromised target credentials for further ransomware deployment [1] [3] [5] [6]. BlackCat 3.0 has been attributed to 212 out of 1,500 ransomware attacks and is considered one of the most advanced and top-tier groups by Microsoft. IBM Security X-Force has disclosed an updated version of BlackCat called Sphynx [1] [3] [4] [5] [6], which goes beyond ransomware functionality and can function as a toolkit [5]. The BlackCat ransomware group has also released a data leak API to increase the visibility of its attacks [5] [6].
The Cuba ransomware threat group has been observed using a comprehensive attack toolset that includes BUGHATCH [1] [3] [5] [6], BURNTCIGAR [1] [3] [4] [5] [6], Wedgecut [1] [3] [4] [5] [6], Metasploit [1] [3] [4] [5] [6], and Cobalt Strike [1] [3] [4] [5] [6]. They have targeted vulnerabilities such as CVE-2020-1472 and CVE-2023-27532 [1] [3] [4] [5] [6], as well as exploiting the Veeam Backup & Replication software vulnerability [5]. Ransomware attacks are evolving [1] [3] [4], with some groups moving away from encryption to exfiltration and ransom [5], or resorting to triple extortion tactics [4] [5]. Managed service providers (MSPs) have also been targeted as entry points to breach corporate networks [1] [3] [5], with threat actors abusing legitimate RMM software [3].
In response to these threats, the U.S. [1] [3] [4] [5] [6] government has released a Cyber Defense Plan to mitigate risks to the RMM ecosystem [1] [3] [4] [5] [6].
Conclusion
The discovery of the BlackCat 3.0 ransomware variant and the release of the Sphynx toolkit by IBM Security X-Force highlight the increasing sophistication of ransomware attacks. The BlackCat ransomware group’s data leak API further demonstrates their efforts to increase the visibility of their attacks. The Cuba ransomware threat group’s use of a comprehensive attack toolset and targeting of specific vulnerabilities showcases the evolving tactics employed by ransomware groups. The shift towards exfiltration and triple extortion tactics [1] [6], as well as the targeting of managed service providers, pose significant risks to corporate networks. The U.S. [1] [3] [4] [5] [6] government’s Cyber Defense Plan aims to mitigate these risks and protect the RMM ecosystem. It is crucial for organizations to stay vigilant and implement robust cybersecurity measures to defend against these evolving threats.
References
[1] https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.html
[2] https://cyber.vumetric.com/security-news/2023/08/17/microsoft-blackcat-s-sphynx-ransomware-embeds-impacket-remcom/
[3] https://patabook.com/technology/2023/08/21/new-blackcat-ransomware-variant-adopts-advanced-impacket-and-remcom-tools/
[4] https://vulnera.com/newswire/new-blackcat-ransomware-variant-incorporates-advanced-impacket-and-remcom-tools/
[5] https://pfete.com/index.php/2023/08/18/new-blackcat-ransomware-variant-adopts-advanced-impacket-and-remcom-tools/
[6] https://jn66dataanalytics.com/news/new-blackcat-ransomware-variant-adopts-advanced-impacket-and-remcom-tools-the-hacker-news
