Inside a ransomware incident: How a single mistake left a door open for attackers
A security vulnerability that was left unpatched for three years allowed a notorious cyber-criminal gang to breach a network and plant ransomware.
The BlackCat ransomware attack against the undisclosed organisation took place in March 2022 and has been detailed by cybersecurity researchers at Forescout who investigated the incident.
BlackCat ransomware – also known as ALPHV – is becoming one of the most active ransomware groups currently, to the extent that the FBI has released an alert about it, warning how the group has compromised at least 60 victims around the world.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
While BlackCat has a reputation for running a sophisticated ransomware operation, it was a simple technique that allowed malicious cyber criminals to gain initial access to the network – exploiting an SQL injection vulnerability in an internet-exposed SonicWall SRA 4600 firewall.
A security patch has been available to fix the vulnerability since 2019, but it hadn’t been applied in this case, providing cyber criminals with an easy entry point into the network.
From there, the attackers were able to gain access to usernames and passwords, using them to gain access to ESXi servers, where the ransomware payload was ultimately deployed.
BlackCat deploys several techniques not used by other ransomware groups designed to make attacks successful. For starters, the ransomware is written in the Rust programming language, which is unusual for malware and makes it more difficult to detect and examine.
The ransomware also uses a unique binary for each victim, based around information found in the target environment. The unique binary makes it more difficult to identify attacks as the code used in each campaign will be slightly different.
“A unique binary that is not general for each victim makes the detection harder,” Daniel dos Santos, head of security research at Forescout, told ZDNet.
In the case of the March 2022 incident, the attack was partially successful. BlackCat ransomware successfully encrypted servers and files, but the attack wasn’t able to spread to other parts of the network because it had been segmented. While the attackers could control one area of the network, they couldn’t move into other sections.
“The segmentation was actually well done in this case and that’s why it was contained,” said dos Santos, who added that this attack using BlackCat ransomware-as-a-service appeared to have been carried out by a cyber criminal who was still learning how to conduct attacks properly.
“The impression we got is that the affiliate that was running the actual malware wasn’t very experienced”.
SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easy
However, despite the inexperience of the attacker, some servers were still infected with malware. While no ransom was paid, and the network segmentation reduced the impact of the attack, the whole incident could have been avoided if some basic cybersecurity hygiene advice had been followed.
Those steps would have included applying the relevant security updates to fix a vulnerability that was first disclosed in 2019.
“The biggest lesson here is patch the network infrastructure – whatever is facing the internet, it’s always important for it to be fully patched,” said dos Santos.
It’s also recommended that organisations monitor their networks for external access from known IP addresses or unusual patterns of behavior. In addition, businesses should backup their servers regularly. Then, if something happens, the network can be restored to a recent point without needing to pay a ransom.