Two of the “most prolific” affiliate threat groups, which have been associated with several ransomware families, including Hive, Conti and Ryuk, are now deploying the BlackCat ransomware-as-a-service (RaaS), new Microsoft research revealed.
Researchers tracking BlackCat deployments face a challenge that’s currently prevalent in the ransomware threat landscape: Because it relies on the RaaS affiliate model, no two BlackCat deployments might look the same, with different affiliates utilizing different tactics. For instance, two separate BlackCat deployments recently observed by Microsoft used two initial access vectors – one using compromised credentials, and the other exploiting a vulnerable Microsoft Exchange server – as well as different persistence, credential exfiltration and lateral movement methods.
This can throw a wrench in the ability to pin down commonly-used TTPs for the ransomware beyond the basics. Still, the outcome of BlackCat – data being encrypted, exfiltrated and used for “double extortion” – is the same, and researchers said organizations can defend against the ransomware family by addressing common issues like poor credential hygiene or misconfigurations.
“Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat,” said Microsoft’s 365 Defender Threat Intelligence team in a Monday analysis. “Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats.”
Researchers observed the financially-motivated DEV-0237 group (also known as FIN12), adding BlackCat to its list of distributed payloads starting in March. The group is known for its distribution of Conti, Ryuk and, most recently, the Hive ransomware.
“Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies,” said researchers.
Another well-known active affiliate group, DEV-0504, adopted BlackCat starting in December. The group has previously delivered ransomware families like BlackMatter, Conti, LockBit 2.0, REvil and Ryuk. DEV-0504 has several known TTPs, including using an initial vector that involves remotely signing into devices with compromised credentials. It is also known for using tools like Mimikatz for credential theft, StealBit for data exfiltration and PsExec for distributing the ransomware payload.
Certain features of BlackCat are specifically customized for affiliates, so it may be no surprise that these popular affiliate groups have started leveraging the ransomware. For instance, the BlackCat payload allows affiliates to customize execution to the environment. The ransomware’s self-propagation feature is also configurable by an affiliate for individual environments.