Defending Against BlackCat: An Inside Look at a Ransomware Attack
In the continually evolving world of cybersecurity, one of the most significant threats that organizations face is ransomware. Ransomware attacks are continually evolving, giving rise to more complex and devastating forms of cybercrime. Cybercriminals focus on various targets, including data breaches, fraud, identity theft, and vulnerabilities, making it crucial for companies to understand the hallmarks of these attacks to formulate their defense strategies.
The spotlight of this article is on a BlackCat ransomware attack, as reported from the perspective of incident response experts at Sygnia. The company was approached by a victim, a company experiencing suspect activity on its network, leading to a ransomware attack diagnosis. Given the imminent danger, Sygnia recommended the victim to disconnect immediately from the internet to mitigate further damage.
The attacker then was identified as BlackCat. This case represented a supply chain attack where the victim’s vendor was compromised first. Successful penetration into the victim’s network led the attackers to consolidate their position, making the battleground noisy.
The Anatomy of the BlackCat Ransomware Attack
The progress of the BlackCat attack was meticulously tracked by Syngia experts. Initial attempts to access the victim’s network were made using the compromised vendor. The attackers tried Remote Desktop Protocol (RDP) and Server Message Block (SMB) logon to the victim’s servers. After a few successful logons, brute force authentication attacks were attempted.
Once the attacker successfully connected over RDP to a server on the victim’s network, it started using it as a ‘pivot server’ for reconnaissance and lateral movement. This action set off alerts regarding anomalous activities in the victim’s security controls, but they were initially dismissed due to the common issue of alert fatigue and possible false positives.
By now, the attackers had managed to access and exfiltrate some data, but had not begun the encryption process thanks to the swift decision to disconnect from the internet. Despite the halted encryption process, the attackers attempted to extort the victim over the stolen data for the next three weeks.
Lessons Learnt: Early Response and Decisive Actions
There are numerous lessons to learn from this incident. One of the most critical takeaways is the importance of early and expert incident response. It is also crucial to consider how the attacker may react to various defensive actions, without revealing the defensive activities to the attacker. In this case, the victim’s senior management was courageous enough to disconnect the internet, a severe action that helped limit the damage.
In conclusion, dealing with cyber threats like ransomware requires swift action, expert knowledge, and the courage to take drastic measures. It is this combination that can limit the attacker’s actions and save the day, even if the attack has reached an advanced stage. Drastic action might not prevent all forms of data theft, but it does help limit the extent of the damage and increases the company’s chance of survival.
Related links:
https://www.securityweek.com/anatomy-of-a-blackcat-attack-through-the-eyes-of-incident-response/