BlackCat's Rust-based ransomware could be more reliable and faster than other attacks
The new ransomware group BlackCat has attacked at least 60 organisations around the world as of last month, says the FBI.
First seen in November 2021, BlackCat - aka ALPHV and Noberus - is said to be the first known ransomware group to successfully break into networks using malware written in the Rust programming language.
Rust emphasises performance, which could make BlackCat's ransomware-as-a-service more reliable and faster. As Rust is also cross-platform, it could make it easier to develop variants for both Windows and Linux.
Matthew Radolec, senior director of incident response and cloud operations at Varonis, told Tech Target's Search Security, "The advantage of Rust is [in] compiling Windows and Linux binaries. If you were building software, there's an advantage to you doing it because more people can use it.
"With ransomware-as-a-service gangs, I would predict the use of more Rust, more flexible code than something like Objective C or Visual Basic, which would be pure Microsoft ecosystem."
In an advisory notice released this week, the FBI said many of the developers and other stakeholders working with/for BlackCat are linked to the DarkSide (aka BlackMatter) gang, 'indicating they have extensive networks and experience with ransomware operations'.
The FBI's advisory note also included details on indicators of compromise, and warned that the ransomware typically uses previously compromised user credentials to gain access to a victim's system. Once it has access, the malware compromises Active Directory user and administrator accounts, then uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.
Before that, though, the tool also steals victims' confidential data.
The FBI is urging organisations to review domain controllers, servers, workstations and Active Directory deployments for new or unrecognised user accounts; take offline backups; implement network segmentation; apply software updates; and secure accounts with multi-factor authentication.