BlackCat Ransomware Targets Microsoft Azure Storage

Threat Advisory
Written By Lee Vaniderstine

Introduction

In the ever-evolving landscape of cybersecurity, new threats emerge that challenge the defenses of even the most robust systems. One such threat that has recently come to light is the BlackCat ransomware, which specifically targets Microsoft Azure storage. This advisory aims to provide a comprehensive overview of the threat, its significance, the potential risks it poses, and Enterprotect's expert recommendations to mitigate its impact.

What is the Threat?

The BlackCat ransomware gang, known for its sophisticated attacks, has recently been observed exploiting a vulnerability in Azure's security infrastructure. Coupled with the newly discovered Sphynx encryptor variant, the gang targets Azure cloud storage. This ransomware encrypts victim data, rendering it inaccessible, and then demands a ransom for decryption.

The modus operandi involves attackers first obtaining a victim's One-Time Password (OTP) through the LastPass Chrome extension. With this unauthorized access, they infiltrate a Sophos Central account. Once inside, they disable security protocols, alter policies, and proceed to encrypt systems and Azure cloud storage. A distinct marker of this attack is the appending of the .zk09cvt extension to encrypted files. Furthermore, the attackers gain access to the victim's Azure portal using stolen Azure keys encoded with Base64.

Why is it Noteworthy?

Azure cloud storage, a product of Microsoft, is a trusted platform used by businesses worldwide. The fact that this ransomware targets such a widely-used platform underscores its potential for causing widespread data loss and operational disruptions.

The BlackCat ransomware gang has consistently been recognized as one of the most advanced and globally impactful ransomware operations. Their adaptability is evident in their evolving techniques. A recent development saw the gang employing a unique extortion method. They set up a dedicated clear web portal to publicly disclose stolen data from specific victims. This move allows affected customers and employees to gauge the extent of potential data exposure.

Moreover, the gang introduced a data leak API in July, which simplifies the process of disseminating stolen information. An affiliate of the gang, Scattered Spider, recently claimed responsibility for a massive attack on MGM Resorts. This attack resulted in the encryption of over 100 ESXi hypervisors after MGM Resorts decided to shut down its internal infrastructure and decline ransom negotiations. The FBI's warning, highlighting the gang's involvement in successful breaches affecting more than 60 entities worldwide between November 2021 and March 2022, further emphasizes the need for heightened vigilance.

What is the Exposure or Risk?

The primary risk associated with this threat is the potential compromise of critical data stored on Azure cloud storage. Organizations that fall victim to this ransomware face the grim prospects of data loss, operational disruptions, and financial extortion.

The new Sphynx encryptor has been found to embed the Remcom hacking tool and the Impacket networking framework, which facilitates lateral movement across compromised networks. During the intrusion, attackers utilize various RMM tools, such as AnyDesk, Splashtop, and Atera. They also exploit Chrome to access the target's installed LastPass vault via the browser extension, from where they obtain the OTP.

Organizations with extensive reliance on Azure cloud storage and related services are particularly vulnerable. Additionally, entities with weak access controls, insufficient employee training in cybersecurity, or those lacking multi-factor authentication (MFA) in their security measures face heightened risks.

What are the Recommendations?

Enterprotect advises organizations to take the following measures to limit the potential impact of a BlackCat Ransomware Attack:

  1. Implement Multi-Factor Authentication (MFA): Enforce MFA for all critical accounts and systems, especially Azure services. MFA significantly bolsters security by necessitating multiple verification forms.

  2. Stay Updated: Ensure all software and systems are regularly updated with the latest security patches. This proactive approach helps prevent the exploitation of known vulnerabilities.

  3. Review Access Control: Periodically review and enhance access control policies. Ensure that users have only the necessary access to Azure resources, following the principle of least privilege.

  4. Educate Employees: Conduct regular cybersecurity training sessions. Educate employees about the dangers of phishing and social engineering threats. Encourage them to promptly report any suspicious activities.

  5. Backup Strategy: Maintain a comprehensive data backup strategy. This should include off-site and offline backups, ensuring data recovery without succumbing to ransom demands.

References

  1. BlackCat Ransomware Targets Azure Storage with Sphynx Encryptor

  2. BlackCat (ALPHV) Ransomware Linked to BlackMatter & DarkSide Gangs

  3. SophosXOps on BlackCat Ransomware

Lee Vaniderstine
Previous

Updated Bumblebee Malware Loader with Enhanced Evasion Capabilities
Next

Critical Zero-Day Vulnerability in Adobe Acrobat and Reader