After recent attacks, new research suggests that BlackCat ransomware could be getting a whole lot more dangerous.

As we’ve previously reported, BlackCat is a ransomware-as-a-service (RaaS) operation that aggressively recruits affiliates from other ransomware groups, and targets organizations worldwide. BlackCat ransomware extorts money from victims by stealing sensitive information, and encrypting their system. BlackCat ransomware goes one step further by threatening to launch a denial-of-service (DDoS) attack if demands aren’t met.

In a new report from Sophos, it appears that Brute Ratel – a penetration testing and attack simulation tool – has been added to the BlackCat ransomware arsenal. This would make the ransomware much more dangerous.

“What we’re seeing with BlackCat and other attacks recently is that threat actors are very efficient and effective in their work. They use tried and true methods, like attacking vulnerable firewalls and VPNs, because they know these still work. But they show innovation to avoid security defenses, like switching to the new post-exploitation C2 framework Brute Ratel in their attacks,” said Christopher Budd, senior manager, threat research at Sophos.

Brute Ratel is not the only tool being used by BlackCat ransomware. Other open-source, commercially available tools that create backdoors and remote access alternatives including TeamViewer, nGrok and Cobalt Strike were used as well.

BlackCat will look for outdated firewalls and unpatched VPN services as their initial point of entry. Since Decemeber 2021, they’ve successfully infiltrated at least four organizations by exploiting vulnerabilities in firewalls. Once network access is obtained, they use firewalls to extract credentials and move laterally through the infected system.

Pre-requisites for a BlackCat ransomware attack are businesses that operate on systems that have reached end-of-life, don’t have multifactor authentication or VPNs, and use flat networks. BlackCat has targeted businesses in the US, Europe and Asia.

“The common denominator with all these attacks is that they were easy to carry out. In one instance, the same BlackCat attackers installed cryptominers a month before launching the ransomware. This latest research highlights how important it is to follow established best security practices; they still have a lot of power to prevent and thwart attacks, including multiple attacks against a single network,” said Budd.

Story via TechRadar