Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label U.S. Firms. Show all posts

Multiple Similarities Identified in BlackMatter And BlackCat Ransomware

 

Cisco Talos researchers have spotted overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a robust link strong connection between the two ransomware groups. 

According to the Cisco Talos findings, BlackCat first emerged on the ransomware-as-a-service (RaaS) scene in November 2021 and has since targeted several companies by exploiting vulnerabilities in the Windows system. It has been called out for being similar to BlackMatter, a short-lived ransomware family that originated from DarkSide, which made news by infiltrating the Colonial Pipeline system last year in a ransomware assault. 

In an interview with the cybersecurity firm Recorded Future last month, a BlackCat spokesperson dismissed rumors that it's a rebranding of BlackMatter while noting that it's made up of affiliates linked with other RaaS groups.

"In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts (aka affiliates)," the unnamed representative stated.

"We borrowed their advantages and eliminated their disadvantages." "BlackCat seems to be a case of vertical business expansion," Cisco Talos researchers Tiago Pereira and Caitlin Huey said. "In essence, it's a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue."

In addition, researchers uncovered multiple similarities between a BlackMatter attack in September 2021 and that of a BlackCat attack in December 2021, including the tools and file names employed, as well as a domain used to provide persistent access to the target network.

This overlapping use of the same command-and-control address suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of operation of BlackCat, with both the attacks taking more than two weeks to reach the encryption stage.

"As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist," the researchers added.

The best way to mitigate risks is by investing in the best antivirus software, allowing for peace of mind when conducting business or sending private information. So far, the BlackCat group has targeted U.S.-based companies more than 30% of the time, so enterprises in North America are advised to be ready in case they are the next subject of attack for the ransomware group.

New Bipartisan Bill Would Require Firms to Report Cyber Incidents Within 72 hours

 

Financial institutions critical to U.S. national interests will now have to report substantial cyber assaults and ransom payments to the federal government, an Associated Press report said, under a bill passed by Congress and expected to be signed by President Joe Biden.

The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S. firms. Last year, multiple private and government organizations were jolted by a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will provide federal government much greater visibility into hacking efforts that target private firms, which often have skipped going to the FBI or other agencies for assistance. 

The reporting requirement was approved by the House and Senate on Thursday. It is expected to be signed into law by President Biden soon. “It’s clear we must take bold action to improve our online defenses,” stated Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee.

AP wrote that the new rules require any entity considered part of America’s critical infrastructure, including finance, transportation, and energy, to report any “substantial cyber incident” within 72 hours, and any ransomware payment they make within 24 hours, to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. 

According to Heather Hogsett, a senior leader of the Bank Policy Institute’s technology policy division, the 36-hour notices of service disruption “allow bank regulators to keep a pulse on what is happening in the country’s financial services industry” while the 72- and 24-hour notices to CISA will allow the agency to “produce reports about threat actors and provide early warning of potential attack vectors.”

In recent years ransomware attacks have flourished beyond expectation and have targeted multiple high-profile organizations. Last year, the ransomware operators targeted the biggest U.S. fuel pipeline and the world’s biggest meat packing company. 

The state hackers based in Russia and China have had success in spying on and hacking U.S. targets, including those that are deemed critical infrastructure, Reuters reported.

Security experts and government officials are concerned that Russia's war in Ukraine has increased the threat of cyberattacks against U.S. entities, by either state or proxy actors. Many ransomware operators live and work in Russia. 

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable," said Sen. Rob Portman, a Republican from Ohio.