Microsoft indicates that the BlackCat ransomware affiliates are actively attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities. In at least one incident that Microsoft’s security experts observed, the attackers slowly moved through the victim’s network, stealing credentials and exfiltrating information to be used for double extortion.
Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec. In April, the FBI warned in a flash alert that the BlackCat ransomware had been used to encrypt the networks of at least 60 organizations worldwide between November 2021 and March 2022. Microsoft advises applying the latest patches.
In a new twist, the Roblox online store, part of the gaming platform, was used to sell the decryptor for the Chaos ransomware. Using the in-game currency, Robux, a victim can buy the decryptor.
Students in New Jersey are escaping exams due to ransomware – Tenafly Public Schools was forced to cancel final exams as they restore systems and respond. One parent indicated that the school’s Google Classroom, grading, and other systems were taken offline. Exams were canceled due to teacher concerns that students would be unfairly penalized by being locked out of systems with their notes for a week.
Updating on the reporting trends, Just one-fourth of all NetWalker ransomware victims reported incidents to law enforcement, according to officials from the FBI and Justice Department who led the group’s takedown.
That said, the DOJ is reporting that CISA and the FBI are working closely to address upcoming new reporting requirements and are both “very engaged.” DOJ and CISA are focused on practical questionsduring the initial regulatory period (which could last up to two years, although CISA intends to move faster than that). Some of those challenges: “How should the database be built? How should the information be taken into the database? How should the information in the database be shared with Sector Risk Management Agencies, with the FBI?”
Why do we care?
The tactics updates help keep on top of our adversaries, but the main reason to care is to note that CISA and the FBI seem to be in lockstep. That’s promising.
I was discussing this trend yesterday – can the US government reduce the security tax on business by simply uping their game from a law enforcement perspective? Suppose the analogy is that gangs of criminals are roaming the streets. In that case, it makes logical sense that the deployment of law enforcement will increase the risks for those criminals and eventually reduce crime. That’s the kind of big problem governments are for.