Microsoft: BlackCat Ransomware Group Targets Vulnerable Microsoft Exchange Servers

According to Microsoft, the BlackCat ransomware group is gaining access to targeted networks by exploiting unpatched Exchange server security flaws.

After gaining access, the threat actors quickly began collecting data about the infected systems, followed by credential theft and lateral movement activities, intellectual property gathering, and delivering the ransomware payload.

As stated by the Microsoft 365 Defender Threat Intelligence Team, the cybercriminals took two weeks after the initial compromise before deploying ransomware.

In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in.


The Anatomy of BlackCat Ransomware

BlackCat, also known as ALPHV and Noberus, is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend in which cybercriminals are transitioning to modern languages like Rust or Go for their payloads.

They do this not only to remain undetected by the traditional security software but also to challenge security specialists who might try to reverse engineer or compare the payloads to other threats that are similar.

BlackCat is capable of targeting and encrypting Windows, Linux, and VMWare instances. It has

Read More: