Israeli cybersecurity company Sygnia has revealed new details about the hacker group known as BlackCat. The group first became active in his November 2021 and focuses on attacks on high-profile multi-sector and international organizations. Sygnia he investigated this suspicious activity on BlackCat's network and ultimately found it to be a financial extortion attack involving a large-scale information leak.
The Sygnia team, led by Oren Biederman, a senior cyber incident detection and response expert, details step-by-step every action taken by BlackCat Group during the attack on its customers. The researchers also offer advice to organizations and businesses on how to proactively protect themselves from similar attacks. This is based on defensive operations performed against his Sygnia client in 2023 when he was attacked by BlackCat.
Like other hacker groups, BlackCat employs a ransomware-as-a-service business model that allows partners to leverage their tools and infrastructure for extortion attacks.
Sygnia's preliminary investigation reveals signs of a ransomware attack that could potentially encrypt all company information. Ultimately, the cyber attack was thwarted by immediate action by his client's IT team, primarily blocking all inbound and outbound traffic to and from central network assets.
As the hackers were unable to fully execute the attack or erase any trace of evidence within the network, Sygnia's extensive investigation resulted in unique findings regarding BlackCat's modes of operation, tactics, techniques, and procedures (TTPs). It was done. In this case, the affected organization blocked Internet access from within the organization's internal network, but not from the organization's cloud environment. The two environments were linked via Azure Express Route, allowing the attackers to bypass the corporate firewall and maintain access to the victim's network.
Sygnia CEO shares practical tips to avoid cyberattacks
Sharing Sygnia's recent activity, Biedermann said, “We have identified a trend of attacking large enterprises by attacking third parties with less strong security. It shows how important it is to carefully map and restrict access providers.” Minimum necessary.
Organizations should have a predefined plan to mitigate ransomware attacks. In this case, the threat was unable to encrypt the network because the victim immediately tried to block Internet access as a mitigation. There is no doubt that blocking Internet connectivity in large networks is a difficult task for network administrators who at the same time need to maintain the business continuity of their companies, but continued efforts in this direction can make a difference. ”