RevealX vs. BlackCat Ransomware

BlackCat has been observed exploiting the ProxyShell vulnerability on Microsoft Exchange servers. ExtraHop detects this exploit and other exploits of public-facing applications with the SQL Injection (SQLi) Attack, Outbound Log4Shell Activity, Log4Shell JNDI Injection Attempt, CVE-2024-21887 Ivanti Connect Secure and Policy Secure Exploit, CVE-2023-4966 Citrix NetScaler ADC and NetScaler Gateway Exploit, CVE-2023-46747 F5 BIG-IP Exploit Attempt detectors.

BlackCat has abused command and script interpreters to execute commands, scripts, and binaries. RevealX detects Command and Scripting Interpreter activity with the Unusual Interactive Traffic from an External Endpoint detector, which identifies network traffic associated with command and script interpreters based on behavioral heuristics.

BlackCat may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. RevealX detects remote registry activity with the Windows Registry Enumeration, Remote Registry Modification, and Windows Registry Modification Activity detectors. These detectors use analytics to scrutinize Windows Registry enumeration and identify abnormal access or exploitations indicative of a potential cyberattack. RevealX also monitors for signs of remote and new registry modifications, which may signify advanced persistent threats or attempts to establish persistent access, elevate privileges, or execute malicious software, thus providing security coverage against these types of attacks.

As noted above, BlackCat deletes logs to remove evidence of their presence and hinder organizations’ defenses. RevealX detects the removal of Windows Event Logs with the Remote Log Deletion detector by identifying anomalies in system logs and patterns associated with log-tampering or deletion. This ensures coverage for methods such as exploitation of system vulnerabilities, use of malware, or unauthorized log-ins, making it significantly harder for malicious actors to conceal their activities and maintain persistent access to the system.

BlackCat may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. RevealX detects remote registry activity with the Windows Registry Enumeration, Remote Registry Modification, and Windows Registry Modification Activity detectors. These detectors use analytics to scrutinize Windows Registry enumeration and identify abnormal access or exploitations indicative of a potential cyberattack. RevealX also monitors for signs of remote and new registry modifications, which may signify advanced persistent threats or attempts to establish persistent access, elevate privileges, or execute malicious software, thus providing security coverage against these types of attacks.

BlackCat may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. RevealX detects the enumeration of accounts with the LDAP SPN Scan and Kerberos User Enumeration detectors. These detectors monitor for unauthorized LDAP queries and suspicious Kerberos ticket requests associated with validation of usernames and directory data access. By tracking abnormal use of service principal names and unexpected ticket-granting service responses, the detection analytic enhances defenses against reconnaissance activities aimed at collecting sensitive network information and identifying valid usernames for further malicious activities.

BlackCat enumerates files and directories or may search in specific locations of a host or network share for certain information within a file system. RevealX detects File and Directory enumeration with the Web Directory Scan and Unconventional Internal Connection detectors.

These detectors actively monitor the frequencies and patterns of web server queries, promptly identifying and alerting on any attempts to map web server structures that indicate potential intrusion. They also provide coverage for the detection of unconventional internal network connections, tracking instances of anomalous activities within the network, such as irregular access times, use of unusual protocols, and aberrant user behaviors, which may signify an advanced persistent threat attempting to spread malware, exploit vulnerabilities, or laterally move within the network.

BlackCat looks for folders and drives shared on remote systems to accomplish two goals: 1) identify sources of information to gather as a precursor for Collection and 2) identify potential systems of interest for Lateral Movement. RevealX detects Network Share Discovery with the SMB/CIFS Share Enumeration detector. This detector identifies suspicious activities associated with Server Message Block/Common Internet File System (SMB/CIFS) share enumeration. These activities include multiple unsuccessful login attempts indicative of brute force attacks, unusual network scanning for SMB shares, null sessions, or any evidence of an exploit like the EternalBlue.

BlackCat seeks to discover group and permission settings. RevealX detects the enumeration of group information with the Windows Account Enumeration detector, which identifies when BlackCat is employing different techniques to query system accounts, exploit any authentication weaknesses, manipulate error messages, or even intercept network traffic. By monitoring patterns of unusually high volumes of system queries, changing system response behaviors, and irregular network activity, these detection analytics can identify potential account enumeration attempts and mitigate risks of further brute force attacks, privilege escalation, or potential service denial attacks.

BlackCat enumerates information about remote systems that it can use in later stages of the attack to move laterally. RevealX detects the enumeration of remote systems over protocols such as DNS and LDAP using both signature-based and behavioral heuristics. It also identifies malicious Domain Controller Enumeration efforts that aim to gain higher access levels, breach network security, and formulate more strategic and targeted attacks.

BlackCat tries to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. RevealX detects the enumeration of system information with the Scheduled Task Enumeration and New WMI Enumeration Query detectors. These detectors monitor the task scheduling utility in systems to catch suspicious activity that suggests the attacker is listing, exploiting, or manipulating scheduled tasks to achieve persistence or introduce malicious code. They also identify New WMI Enumeration Query attacks where the adversaries might use WMI to execute code, create processes, or query system information, thereby revealing system vulnerabilities or details about configuration that can be misused for detrimental purposes.

BlackCat has been observed enumerating one or more users associated with or actively using a computer. RevealX detects the enumeration of users with the Logged On User Enumeration detector based on protocol payload analysis. These analytics aid in mitigating threats by flagging continuous login attempts, irregular logins using a list of user credentials, and deceptive login emails or websites, thereby preventing potential unauthorized access, data manipulation, and more concentrated attacks.

BlackCat transfers tools and other files between systems in a compromised environment. RevealX detects the transfer of malicious files and attack tools with the Unusual SMB/CIFS Executable File Transfer, File Transfer to Windows Autostart Path, New SMB/CIFS Executable File Transfer, Cobalt Strike Beacon Transfer, and Unusual Executable File Transfer detectors.

This detection analytic also provides coverage for Cobalt Strike Beacon Transfers implying an attacker could be establishing or currently possessing control over the system, and for any unusual executable file transfers that may signify a potential data breach or ongoing attack.

RevealX detects encryption with the Ransomware Activity, Suspicious SMB/CIFS File Share Access, Kaseya VSA Activity, REvil Suspicious Connection (Kaseya Supply Chain), and Confirmed OnePercent Group Ransomware IOC detectors. This detection analytic offers multi-layered security against encryption by identifying and mitigating malicious threats from unauthorized cybercriminals exploiting vulnerabilities in data management systems, monitoring unauthorized access to SMB/CIFS, and tracking and neutralizing activities of organized ransomware groups like REvil and OnePercent Group.

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. ExtraHop detects inhibiting system recovery with the Kaseya VSA Activity and REvil Suspicious Connection (Kaseya Supply Chain) detectors.

Detects and mitigates the Kaseya VSA Activity Attack Technique by monitoring for exploitation of vulnerabilities within the Kaseya Virtual System Administrator (VSA) software and flagging unusual system access or command execution, which can be indicative of an attacker infiltrating the system with malicious intent. Additionally, it provides protection against the REvil Suspicious Connection (Kaseya Supply Chain) Attack Technique by inspecting network activities for connections to known command and control servers used by the REvil group, enabling quick identification and isolation of compromised systems in the event of unauthorized transmission and propagation of ransomware through the software's update feature.