Threat Watch

BlackCat Ransomware Gang Targeting Unpatched Microsoft Exchange Servers

This week, Microsoft warned that the BlackCat ransomware group, also known as AlphV, are leveraging exploits for unpatched Exchange server vulnerabilities to access victim networks. BlackCat was first seen in November 2021 when at the time, it was one of the only ransomware groups utilizing the Rust programing language. They likely are the pioneers of ransomware groups using uncommon programming languages to evade detection. In a report published by Microsoft, a representative stated, “In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in,” the researchers said, pointing out how “no two BlackCat ‘lives’ or deployments might look the same.” Ransomware attacks continue to be extremely lucrative for criminal gangs and therefore the ransomware ecosystem continues to group, become more efficient, and evolve with each attack. Microsoft believes several ransomware gangs have started distributing BlackCat, such as Hive, Conti, REvil, and LockBit. According to the FBI, BlackCat ransomware attacks have victimized at least 60 entities worldwide as of March 2022.


Organizations that are victims of ransomware attacks should seek professional help from incident response and data recovery service providers and should report the incident to law enforcement. Organizations should also initiate proactive measures to ensure they are protected from ransomware. To protect against ransomware attacks, organizations should:
• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
• Install updates/patch operating systems, software, and firmware as soon as practical after they are released.
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threats and respond quickly.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes.
• Avoid reusing passwords for multiple accounts.
• Focus on cyber security awareness and training.

The many lives of BlackCat ransomware