The Microsoft 365 Defender Threat Intelligence Team has identified two incidents in which cybercriminals deployed BlackCat ransomware payloads without administrator privileges, according to a warning published June 13, 2022.
In one instance, cybercriminals used unpatched Exchange services or used stolen credentials to deploy BlackCat and access target networks, Microsoft noted. They exploited the vulnerability to gather information about network devices and access account credentials. From here, the cybercriminals looked for and exploited lateral movement targets.
Meanwhile, in another instance, cybercriminals used compromised credentials to log in to an Internet-facing Remote Desktop server and compromise an end-user's environment, Microsoft indicated. After cybercriminals access a target environment, they launch the Total Deployment Software administrative tool for remote automated software deployment. Next, they install the ScreenConnect application to establish a remote session in the user's environment and stay connected to it.
To date, Microsoft has linked ransomware affiliate groups DEV-0237 and DEV-0504 to BlackCat ransomware deployments. It noted that DEV-0237 began launching BlackCat attacks in March 2022, and DEV-0504 initiated BlackCat attacks in December 2021.
Microsoft's BlackCat ransomware warning comes after managed detection and response (MDR) services provider Blackpoint Cyber in May 2022 discovered new tactics, techniques and procedures (TTPs) attributed to BlackCat threat actors.
Blackpoint found that BlackCat threat actors deployed Total Software Deployment (TSD), a remote management tool commonly used by MSSPs, MSPs, and ITSPs, Blackpoint said. It also noted that these threat actors used ScreenConnect for remote control and lateral movement.
How to Defend Against BlackCat Ransomware Attacks
Microsoft provided the following recommendations to help organizations guard against BlackCat ransomware attacks:
- Prioritize Credential Hygiene: Run Microsoft services as Local System when administrative privileges are needed. Plus, organizations can use LUA Buglight and similar tools to determine the privileges required for their applications.
- Evaluate Your Security Posture: Monitor external access to servers, systems and applications and address any vulnerabilities immediately.
- Build a Comprehensive Threat Defense Strategy: Develop and maintain a coordinated threat defense strategy. Organizations can use multiple threat protection technologies and correlate threat data from endpoints, cloud apps and other sources. In doing so, they can identify vulnerable or misconfigured devices and surface ransomware and other cyber threats.
Microsoft also offered several recommendations to reduce the impact of BlackCat ransomware attacks, such as:
- Require strong, randomized local administrator passwords.
- Use an antivirus solution.
- Leverage multi-factor authentication for access to virtual private networks (VPNs).
BlackCat is a ransomware-as-a-service (RaaS) that plagues global organizations and will continue to do so in the foreseeable future. Meanwhile, MSSPs can offer managed security services to protect organizations against BlackCat and other types of ransomware.