Sophos X-Ops presents the latest threat intelligence results. BlackCat ransomware gang uses the Brute Ratel pentesting tool as a new attack tool. Attack series shows how cybercriminals infect computers worldwide through unpatched firewalls and VPN services.
Sophos X-Ops reveals in the new BlackCat Ransomware Attacks Not Merely a Byproduct of Bad Luck report that the ransomware gang has added the Brute Ratel pentesting tool to its arsenal of attack tools. The article describes a series of ransomware attacks in which BlackCat used unpatched or outdated firewalls and VPN services to penetrate vulnerable networks and systems in various industries worldwide.
BlackCat with ransomware-as-a-service
BlackCat ransomware first emerged in November 2021 as a self-declared "leader" in the ransomware-as-a-service space and quickly attracted attention for its unusual Rust programming language. As early as December 2021, the affected companies contacted Sophos Rapid Response to have at least five attacks with BlackCat investigated. Four of these incidents were initially infected by exploiting vulnerabilities in products from various firewall vendors. One of these vulnerabilities dates back to 2018, another was discovered last year. Once inside the network, the cyber criminals were able to obtain the VPN credentials stored on these firewalls. This allowed them to log in as authorized users and then sneak through the systems using the Remote Desktop Protocol (RDP).
As in previous BlackCat incidents, the attackers also used open source and commercially available tools to create additional backdoors and alternative ways to remotely access the targeted systems. These included TeamViewer, nGrok, Cobalt Strike, and Brute Ratel.
Post-exploitation C2 framework Brute Ratel
“In recent BlackCat and other attacks, we've seen threat actors work very efficiently and effectively. They use best practices such as attacks on vulnerable firewalls and VPNs. But they were also very innovative in evading security measures and switched their attacks to the newer post-exploitation C2 framework Brute Ratel,” explains Christopher Budd, senior manager, threat research at Sophos.
Attacks without a clear pattern
However, no clear pattern could be observed in the attacks. They took place in the US, Europe and Asia at large companies operating in various industry segments. However, the attacked companies had certain vulnerabilities in their environment that made the attackers' job easier. These included outdated systems that could no longer be updated with the latest security patches, lack of multi-factor authentication for VPNs and flat networks (network of peer nodes)
"The common denominator for all of these attacks is that they were easy to execute," Budd said. “In one instance, the same BlackCat attackers installed cryptominers a month before the ransomware was launched. Our recent research highlights the importance of following security best practices. You can still prevent and thwart attacks, even multiple attacks on a single network.”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.