BlackCat Ransomware Leveraging Remote Monitoring Tools to Encrypt Azure Storage

BlackCat Ransomware variant Sphynx has been newly identified with additional features used for encrypting Azure Storage accounts. This Sphynx variant of BlackCat was first discovered in March and was upgraded in May, which added the Exmatter exfiltration tool. 

Another version of Sphynx was released in August, which included new command-line arguments that can override the credentials inside the config files obtained from compromised systems.

Microsoft published a post in August that mentioned the inclusion of Impacket (for credential dumping and remote service execution) and Remcom tools. In addition, it also consisted of some compromised credentials that are used for lateral movement and further ransomware deployment.

“This BlackCat version also has the Remcom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment.” reads the thread by Microsoft on Twitter.

Threat Actors Access Azure portal

Threat actors could steal Azure keys by accessing the customer’s Azure portal. These keys were then base64 encoded and embedded with the ransomware binary with command line executions.

An -o argument was included in the command line arguments, which targets an Azure storage account name and access key; this binary was executed multiple times with 39 unique Azure Storage accounts, resulting in encrypting them with ransomware.

During this operation, threat actors used tools like AnyDesk, SplashTop, and Atera combined with the Chrome browser to access the LastPass vault browser extension. Moreover, threat actors also obtained OTP for accessing the Sophos Central account for managing other Sophos products.

On investigating further, it was found that threat actors proceeded to change the security policies and tamper protection before encrypting the systems and Azure Storage accounts with IzBEIHCMxAuKmis6.exe with the extension .zk09cvt. 

Notable Change

Denoting the changes mentioned by IBM, this Sphynx variant of BlackCat does not include -access-token parameter but instead it now uses keys like ‘-8UwUubTNYzygbQPJF -x_ -NI3_zn6Jr -U8Z -hedu5PO -CBJC7jzy -HFVmgW -DK3rdo’ and includes a set of more complex arguments.

Sophos provides detailed information about the operation, source code, and indicators of compromise of this variant of BlackCat.

It is highly recommended that organizations implement and adhere to necessary precautions and measures to effectively prevent and combat the occurrence of ransomware attacks. Such proactive and vigilant steps can significantly reduce the risk of devastating consequences that may result from these malicious attacks.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.