The BlackCat ransomware-as-a-service (RaaS) gang’s attack against airline IT firm Accelya last month is a reminder for private equity managers to be vigilant against the threat of cyber-extortion groups.
BlackCat claimed to have pilfered Accelya emails, worker contracts, and more. Accelya is owned by American PE firm Vista Equity Partners, which acquired the IT company in 2019. A spokesperson for the investment firm did not respond to multiple requests for comment.
A July report published by cyber-intelligence firm Resecurity has spotlighted the rising threat posed by BlackCat, one of the most sophisticated Russian ransomware-as-a-service gangs in operation.
In addition to Vista-backed Accelya, the gang’s targeting of accounting and legal firms, called trust and corporate service providers (TCSPs) in compliance parlance, further illustrates the risk posed by this RaaS gang to the PE industry, noted a spokesperson for Hunter, Resecurity’s threat intelligence unit.
BlackCat, which emerged last November, prefers to refer to itself and the ransom strain its affiliates deploy as ALPHV, but it was branded BlackCat by Western malware researchers based on the URL icons used on its victims’ Tor payment sites. Its searchable “wall of shame” onion website (an anonymous website only accessible through the Tor browser) enables anyone to comb through corporate files it has ransomed. It reveals that it has compromised 10 legal and accounting firms out of the roughly 120 publicly disclosed victims overall.
The Resecurity spokesperson said that “the risk of data leak impacting sensitive communications of the fund itself is huge. The group is targeting both IT and business supply chains of potential victims – which allows them to multiply the impact of their malicious activity.”
Reached over the encrypted chat messaging service TOX, ALPHV’s “support” representative denied that they were homing in on any specific sector, industry or geography with any deliberate intent. “We don’t do anything, it’s all just coincidences,” said the ALPHV representative.
DC Advisory ransom
In April, UK-based corporate finance consulting firm DC Advisory became one of the group’s victims. The firm includes among its service offerings a “dedicated Private Capital Group” that helps raise money and conduct private placements for institutional clients.
On April 8, DC Advisory issued a press statement that said it “has been subject to a cybersecurity incident involving illegal access by a third party. This involved unauthorized access to its computer systems in its UK, Italian and Dutch markets.”
This hack was publicized on the gang’s official onion page on April 20, where it threatened to publish all 4.2 terabytes of data exfiltrated from the firm “step by step.”
On May 20, BlackCat uploaded some DC Advisory files to its blog, but it’s unclear if this batch included all of the firm’s stolen data. The DC Advisory download link was also broken at the time of writing.
Emails sent to DC Advisory regarding its experience resolving the incident, whether any of its private funds clients were impacted and whether it paid the ransom went unanswered. ALPHV’s spokesperson did not clarify either.
Origins and enhancements
Believed by the FBI to be the resurrection of previously disbanded ransom gangs Darkside and Blackmatter, Blackcat’s malware most notably distinguishes itself from other groups because it is coded in one of the more modern and “unconventional” programming languages, called Rust.
In addition to the bygone ransom gangs above, the group also includes at least one prolific member of the notorious “REvil” crew, based on interviews with cybersecurity periodical The Record and Private Funds CFO’s conversations with cyber criminal sources who requested anonymity.
ALPHV excels at evading detection. While not the first malware to be coded in the Rust programming language, it is the first piece of ransomware to leverage it, according to cybersecurity company Palo Alto Network’s threat intelligence division, Unit 42.
Using a modern programming language like Rust to deliver its payload means that conventional security solutions in particular may not pick it up, since they “might still be catching up in their ability to analyze and parse binaries written in such a language,” says Microsoft.
Unit 42 also said that Rust is “highly customizable,” making it easy for BlackCat to “pivot and individualize attacks” for a wide array of operating system architectures.
Kurt Baumgartner, principal security researcher at Kaspersky, said BlackCat is a uniquely malicious threat because the masterminds behind the group “have studied and learned from past efforts and their failures – they consider their ‘ransomware-as-a-service’ offering as a next-generation service.”
“Multiple problems that have hindered past operations are better solved by this group, with improvements including advanced encryption/decryption techniques and performance, decentralized stolen data handling, enhanced processing and laundering bitcoin, and hardened victim correspondence,” said Baumgartner.
Methods of attack
Beyond Rust, BlackCat further distinguishes itself by APLHV’s versatility across operating systems and potential attack vectors, along with its links to past and present “prolific threat activity groups,” according to Microsoft.
In one of Blackcat’s first public cyber crime forum postings on the Ransomware Anonymous Marketplace (RAMP) darknet forum, it advertised four next-generation ransomware features: four modes of encryption; infrastructure fragmented with nodes to obfuscate the IP addresses of attackers’ servers; infection interoperability across a variety of operating systems, including “Linux (ESXI, Debian, Ubuntu, and ReadyNas) and all versions from Windows 7 and above”; and the seeding of a unique onion domain for each new victim.
BlackCat is offered as an affiliate program, meaning the number of attack groups using it is growing. Such affiliates, which appear to be most active on RAMP, exploit multiple Microsoft Exchange Server vulnerabilities in addition to insecure virtual private networks (VPNs), remote desktop services (RDPs) and other web services.
Additionally, BlackCat has upped the ante among RaaS groups by recently raising its median ransom asking price to $2.5 million, according to Resecurity. This information is based on Resecurity’s knowledge of several companies in the Nordic region, which BlackCat has not yet publicly named on its blog.
The victim-shaming aspect of BlackCat’s modus operandi is another calling card of the RaaS gang. Resecurity said BlackCat is one of the “fastest-growing” cybercriminal threat groups to practice so-called “quadruple extortion” in its relentless campaign to siphon funds from its victims.
Resecurity classifies the gang’s MO as quadruple extortion based on the four stages of its attack cycle: encryption, data theft, denial of service (DoS) attacks that shut down victim websites and harassment by contacting “customers, business partners, employees and media” to inform them about the victims.
Mitigating third-party risk
Grigoriy Milis, chief technology officer for IT consulting firm RFA, which specializes in advising private fund managers, said, “Regulators have for several years warned of the dangers of not conducting proper cyber due diligence on third-party relationships, for instance a fund’s service providers, which may have less than adequate levels of cybersecurity in place.
“There are two solutions which we recommend managers utilize to reduce the risk of being compromised by a third-party relationship: zero trust and multi-factor authentication.
“A zero-trust network architecture is one in which implicit trust (such as that gained through typical VPN access) is removed and users are continuously validated at every stage of interaction with your network. Multi-factor authentication simply refers to a requirement for users to provide two or more verification factors to gain access to information. These should be incorporated into a holistic cybersecurity strategy that is regularly assessed.”
An August report from cybersecurity firm NCC Group tracked a 47 percent increase in reported ransom attacks in July compared to the previous month. The most prolific RaaS groups were Lockbit, Hiveleaks and BlackBasta.
According to an FBI tip sheet, the bureau “does not support paying a ransom in response to a ransomware attack” because it encourages perpetrators to target more victims and incentivizes other would-be RaaS actors to pursue cyber crime. A spokesperson for the FBI did not respond to a request for comment.