BlackCat Ransomware Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/blackcat-ransomware/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 03 Jul 2023 12:01:43 +0000 en-US hourly 1 https://wordpress.org/?v=83763 200474804 Bandai Namco Hacked, ALPHV Group Claims https://gridinsoft.com/blogs/bandai-namco-hacked-ransomware-attack/ https://gridinsoft.com/blogs/bandai-namco-hacked-ransomware-attack/#respond Mon, 11 Jul 2022 15:58:03 +0000 https://gridinsoft.com/blogs/?p=9306 On Monday, June 11, 2022, the information about the cyberattack on the video game publisher Bandai Namco appeared. Reportedly, a novice cybercrime group BlackCat/ALPHV ciphered the company’s files and leaked its data, as the report on their Darknet leak page says. Ransomware Attack on Bandai Namco The Japanese game studio was reportedly struck by ALPHV… Continue reading Bandai Namco Hacked, ALPHV Group Claims

The post Bandai Namco Hacked, ALPHV Group Claims appeared first on Gridinsoft Blog.

]]>
On Monday, June 11, 2022, the information about the cyberattack on the video game publisher Bandai Namco appeared. Reportedly, a novice cybercrime group BlackCat/ALPHV ciphered the company’s files and leaked its data, as the report on their Darknet leak page says.

Ransomware Attack on Bandai Namco

The Japanese game studio was reportedly struck by ALPHV ransomware earlier this day. The way of penetration, as well as the ransom sum, remain unknown. That is typical for BlackCat ransomware group – earlier, they kept the details of attack on University of Pisa in secret, until the university did not uncover the info by themselves. At those case, they asked for $4.5 million – a pretty average sum for the organisation of this size. However, Bandai Namco has a much bigger turnover, so the hackers may ask for twin- or triplefold bigger sum.

Still, the penchant for secrecy in the BlackCat group is only partial. After the other successful attack, this group began publishing the leaked info soon after the target company refused to pay the ransom. Contrary to the vast majority of ransomware groups, they posted it not on the Darknet page, but in the Surface web – accessible to any user. Pretty soon the site was disabled, but the fact remains – they are not just selling the data, but also shaming their victims. Still, that may be a sophisticated way to force the company to notify about the cybersecurity incident.

Bandai Namco hacked
The post on ALPHV group’s Darknet leak page

About BlackCat/ALPHV group

BlackCat group is a notorious cybercriminal gang that appeared in November 2021. In June 2022, they accounted for over 30% of all ransomware attacks. These days, it splits the ransomware arena with the LockBit group – another infamous gang that has been running since 2019. Obviously, it is incorrect to call the BlackCat/ALPHV gang a newbie – a lot of analysts assume that it is just a rebranding of BlackMatter ransomware that ceased its activity in May, 2021. The latter is widely known for their attack on Colonial Pipeline, which caused a serious gas price surge on the US East Coast.

BlackCat ransom note
BlackCat ransomware ransom note

However, BlackCat as a novel gang got their own “identity”. First and foremost, they use a unique payload on Rust programming language. This language is a rare guest in malware, so their malware can easily bypass the protection mechanisms. And it successfully does that on Windows, and even on *NIX systems. Another notable element of this gang is their recruitment policy – they take only 10% of a ransom sum. In addition to hiring the hackers from REvil, DarkSide and Conti groups, that creates a quasi-team of professionals. In fact, they are still just criminals – but extremely dangerous ones.

The post Bandai Namco Hacked, ALPHV Group Claims appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/bandai-namco-hacked-ransomware-attack/feed/ 0 9306
BlackCat ransomware gang publishes leaked data on the clear web site https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/ https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/#respond Wed, 15 Jun 2022 22:20:06 +0000 https://gridinsoft.com/blogs/?p=8605 BlackCat/ALPHV group recently announced on its victim shaming and extortion website that it had hacked into a luxury spa and resort in the Western United States. At one moment in the last 24 hours, ALPHV posted a website with the same victim name on the domain and their logo on the front page. The ALPHV… Continue reading BlackCat ransomware gang publishes leaked data on the clear web site

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

]]>
BlackCat/ALPHV group recently announced on its victim shaming and extortion website that it had hacked into a luxury spa and resort in the Western United States. At one moment in the last 24 hours, ALPHV posted a website with the same victim name on the domain and their logo on the front page. The ALPHV website claims to care about people’s privacy, but allows anyone to view sensitive stolen data.

BlackCat/ALPHV published the leaked data

Cybercriminal groups that practice the double extortion have tried countless ways to shame their victims into paying. The latest innovation that increased the stakes comes from the ALPHV/BlackCat ransomware group. It commonly released any stolen victim data on the Darknet page. However, these days the group has begun posting the websites of individual victims on the public Internet, and the leaked data has been made available in an easy-to-search form.

The case with the luxury resort is among the first ones, but likely not the last. Hackers’ website claims to have the personal information of 1,500 resort employees and over 2,500 residents of the facility. At the top of the page there are two “Check Yourself” buttons, one for employees and one for guests. Brett Callow, a threat analyst at security firm Emsisoft, called the ALPHV’s actions a “cunning tactic” that is sure to worry their other victims.

Cybersecurity experts are surprised with what’s happening

Callow said most of the victim-shaming blogs maintained by major ransomware groups exist on obscure, slow-loading sites on the Dark Web. Users could reach those sites only with third-party software such as Tor. But the website created by the ALPHV as part of this new pressure tactic is available in the Surface Web. Hence, everyone who wants to check the information on the certain visitor is welcome. Companies are likely to be more concerned about the prospect of their data being shared this way than just being posted on an obscure Tor site whose URL almost no one knows,” Callow said. “It will piss people off and force them to react together.” Apparently, Callow alludes to the high probability of the FBI to pay attention to the gang with such sly tricks. And that is not the single case wherethe US law enforcement were going for these crooks.

Leak site
Leak site screenshot which BlackCat gang created for Allison Resort

It’s unclear if the ALPHV plans to apply this approach to every victim, but other recent gang victims include a US school district and city. This is most likely a test run to see if it improves the results. “We are not going to stop, our leak distribution department will do everything possible to bury your business,” the victim’s website says. “At this point, you still have a chance to maintain the safety and reputation of your hotel. We strongly encourage you to be proactive in your negotiations; you don’t have much time.”

What is BlackCat/ALPHV ransomware?

Launched in November 2021, ALPHV is perhaps most notable for its programming language – Rust. Such a choice allows them to circumvent the detection from the conventional security solutions. Additionally, that made their malware cross-platform, so it can be freely launched on Windows and any of *NIX systems. ALPHV actively recruits operators from several ransomware organizations, including REvil, BlackMatter and DarkSide, offering partners up to 90% of any ransom paid by the victim organization.

BlackCat ransom note
BlackCat/ALPHV ransomware ransom note

Many security experts believe that ALPHV/BlackCat is simply a rebranding of another ransomware group, Darkside, also known as BlackMatter. That gang is responsible for the 2021 Colonial Pipeline attack. This attack lead to fuel shortages and price spikes on the U.S. East Coast. That’s why, exactly, I have mentioned that the attention from law enforcement is not new for those people. Are they fearless now?

Let’s sum the things up

The fact that the ransomware group stepped up to posting the leaked info, and in particular the information about individuals, is outrageous. Even more disgusting is that they created a page for that in the surface web. Still, such a technique can turn positive for individuals whose data is leaked. Mr. Callow I have cited above supposed there may be a silver lining to this ALPHV innovation, mentioning his wife’s conversation with Cl0p ransomware gang representatives.

“On the positive side, tricks like this mean that people can find out that their personal data has been compromised. Cl0p sent a letter to my wife last year. The company that lost her data still hasn’t made the information public or notified the affected people (at least she hasn’t heard anything from the company).”

Sure, receiving the leak notification in such a manner is not a pleasant thing. But that is way better to remain unaware at all, like it happens pretty often. Who knows, maybe that case will push the stakes and force the companies to claim about the leaks as soon as they are uncovered? What a time to be alive.

The post BlackCat ransomware gang publishes leaked data on the clear web site appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-gang-posts-the-leaks-in-surface-web/feed/ 0 8605
BlackCat Ransomware Attacks Italian University https://gridinsoft.com/blogs/blackcat-ransomware-attacks-italian-university/ https://gridinsoft.com/blogs/blackcat-ransomware-attacks-italian-university/#respond Tue, 14 Jun 2022 22:14:11 +0000 https://gridinsoft.com/blogs/?p=8549 An Italian university was hit by BlackCat this week. The hackers demand a $4.5 million ransom. BlackCat is a new, but very potent ransomware gang that carries several distinctive features that make it harder to detect and prevent. About BlackCat ransomware BlackCat ransomware is not a newbie on the ransomware scene, however, it is far… Continue reading BlackCat Ransomware Attacks Italian University

The post BlackCat Ransomware Attacks Italian University appeared first on Gridinsoft Blog.

]]>
An Italian university was hit by BlackCat this week. The hackers demand a $4.5 million ransom. BlackCat is a new, but very potent ransomware gang that carries several distinctive features that make it harder to detect and prevent.

About BlackCat ransomware

BlackCat ransomware is not a newbie on the ransomware scene, however, it is far from its old-timers – Conti or HiddenTear. Their first activity was in November 2021, and became known for using Rust programming language in the payload. That made their malware harder to detect, and can be run on different operating systems, including Windows, FreeBSD and Linux. The distributors they sell the ransomware to seem to be pretty professional, since there are no patterns in their actions and each attack is executed differently from the other. As it is usual for the majority of modern ransomware groups, double extortion is applied. ANOZR WAY reports about 12% of attacks accounted for that ransomware in 2022 – an enormous share for such a young group.

BlackCat ransom note
Ransom note of BlackCat ransomware

On Monday, June 13, 2022, Microsoft published a blog detailing the BlackCat grouping. The company reviewed successful attacks against Windows and Linux devices, as well as VMWare instances. Microsoft called BlackCat (a.k.a. ALPHV) a prime example of the “hacker gig economy” as it actively offers the ransomware-as-a-service model. The Rust programming language helps groupings avoid detection by conventional security tools and creates problems for security professionals by making it difficult to reverse engineer the payload or compare it with similar ransomware. Typically, hackers infiltrate systems using stolen victim credentials and remote desktop applications.

BlackCat attacked the Italian university

On June 11th, 2022 (Saturday), the University of Pisa reported about the ransomware attack. Typically, their files were encrypted, but there were no ransom notes for the case. The ransom note appeared several days later – on June 14. Cybercriminals asked for $4.5 million ransom to be paid until June 16, 2022. That is a pretty big sum for such a small period, still not the record one. A year ago, Kaseya received a $70 million ransom demand from REvil ransomware – and that did not end well for the ransomware group. It is still not clear how exactly hackers managed to get into the corporate network, as well as will the ransom be paid at all. Neither the gang nor university representatives did not give any comments on this situation.

The BlackCat group looks ridiculous at the current state of ransomware. Some analysts compare it with the LockBit ransomware group, which is either known for its superior software base. And in the absence of any restrictions for possible targets make it possible for the group to take over the market share of other actors. Microsoft also reported about DEV-0504 and DEV-0237, two ransomware gangs using the latest software from BlackCat. Payload modification is common among ransomware-as-a-service groups, the company says, as it generates a lot more money and makes ransomware more difficult to detect.

The post BlackCat Ransomware Attacks Italian University appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackcat-ransomware-attacks-italian-university/feed/ 0 8549