BlackCat: The Hottest Ransomware Group of The Year



Written by


Historically criminals would have to raid banks or businesses to demand a ransom, but today they can commit the crime with absolutely no physical contact and from another part of the world. This is called ransomware, where malicious threat actors gain access to data, encrypt it and make computer systems inoperable until a ransom is paid.

As the ransomware epidemic escalates, cyber criminals are becoming smarter and cyber attacks are appearing to become more and more sophisticated. As a result, large-scale disrupting cyber attacks are becoming the norm.

Over the past year or so, cyber threats have risen to an all time high, from small scale smishing attacks aimed at the general public, to news breaking headlines of businesses and government ransomware attacks that are happening around the globe.

About BlackCat

One of the hottest cyber-gangs today is a ransomware group named BlackCat. According to Palo Atlo Networks, BlackCat operates as a Ransomware as a Service (RaaS), allowing third party affiliates of the malware to keep 80-90% of ransomware profits, with remaining funds going directly to the creator. Available on cybercrime forums, the software that has been active since Nov 2021, has quickly gained attraction from affiliates, possibly because of the alluring share of the profits from using the RaaS.

Figure 1. Palo Atlo Data: BlackCat leak site victims by country.
Figure 1. Palo Atlo Data: BlackCat leak site victims by country.

The RaaS is also highly sophisticated and is possibly one of the first ever malware used for ransomware to be written in the Rust coding language, which gives ALPHV’s (BlackCat’s) malware the ability to target multiple computer systems including, Windows, Linux, and VMWare ESXi systems. According to Palo Atlo, there are reports of ransomware all over the world, mainly U.S. targeted (41.7%) followed by Germany, Netherlands, France, Spain and the Philippines.

BlackCat Headlines

The ransomware group are quickly gaining notoriety. Most recently on the 11th Feb, Aviation group Swissport announced that they had become a victim of a ransomware attack, forcing flights to be delayed and other disruptions. The company announced the attack via twitter:

"IT security incident at #Swissport contained. Affected infrastructure swiftly taken offline. Manual workarounds or fallback systems secured operation at all times. Full system clean-up and restoration now under way. We apologize for any inconvenience."

The BlackCat ransomware group have claimed responsibility for the attack. According to Pierluigi Paganini, member of the ENISA, BlackCat ransomware operators leaked a sample of data allegedly stolen during the ransomware attack, claiming to have stolen 1.6TB of data that is available for sale.

The leaked data is said to include business documents, tax declarations, images of passports, and ID cards of individuals. Leaked data also includes personal information of job candidates, including name, passport number, nationality, religion, email, phone number, job role, interview scores, and more.

More large-scale disruptions include their link to the cyber attack that was announced on the 29th Jan, targeted at two German oil companies. This attack caused mass disruption, affecting hundreds of gas stations across Germany.

Similarities of this attack have also been linked to the infamous DarkSide cyber-gang, who were accused of the attack on the Colonial Pipeline Co. in 2021, shutting down the largest gasoline pipeline in the U.S. for several days in May. After the Colonial Pipeline attack, Darkside were shut down by law enforcement and are now members of the gang are believed to have reformed under the BlackCat cyber-group.

How can I protect my organization from ransomware?

Protecting your organization from ransomware can be challenging. Many preventative measures can be implemented, from educating your employees, to ensuring that you have the latest anti-virus softwares and making sure that all of your data is secure and backed up. Despite having these in place, a vulnerability in one of your third party suppliers' infrastructure can still act as an entry point for an attacker.

Learn how secure your business is today with an instant, non-intrusive, free assessment of your organization. Gain digital risk intelligence over your entire vendor ecosystem with security ratings integrated into leading GRC and VRM solutions. Sign up here to receive your free security score.