The Black Cat/ALPHV ransomware group has claimed responsibility for a data breach incident and threatened to post the stolen data publicly. The breached data, the group claims, belongs to Sagenext, a cloud hosting provider for tax and accounting.
The Cyber Express reached out to Sagenext to confirm the data breach claim by Black Cat ransomware group but is yet to receive any confirmation from the company.
According to the threat actor’s post on the dark web website, the authorized QuickBooks solution provider does not know how to secure tax data properly and is “trying to play with Kitty”, hinting at a lack of seriousness in the matter.
Black Cat Ransomware: Latest hits
The Black Cat ransomware group has a history of ransomware attacks and data breaches, often targeting high-profile companies and organizations.
Ring, a popular home security company owned by Amazon, was among its latest victims, The Cyber Express reported in March.
Although there has been no official confirmation of the Amazon Ring data breach, the ransomware group claimed to have access to the private data of the home security company and has threatened to leak it if an agreement is not reached.
Central Missouri Machine Guns (CMMG Inc.), an American firearms company that specializes in the manufacture of AR-derivative rifles and carbines, was another victim spotted that month.
Popular American fast-food chain Five Guys was listed on the Black Cat ransomware gang’s data leak site in February. The gang claimed to have stolen confidential information from the company such as financial statements, payroll details, recruitment information, and audit records.
In January, the ransomware group claimed to have access to 262GB data of the Westmont Hospitality Group, one of the world’s largest privately-held hospitality business in the world.
According to the note posted on the leak site of the Black Cat ransomware gang, January 31, 2023 was the deadline for ransom payment. The gang said it accessed the data on December 23, 2022.
Black Cat Ransomware and mode of operation
Initially discovered in November of 2021, BlackCat gained notoriety for being one of the earliest ransomware variants coded in the Rust programming language.
Its creators aimed to evade detection, particularly from traditional security solutions that may still be struggling to analyze and parse binaries written in this modern language.
“While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—
Black Cat ransomware is capable of encrypting and attacking various devices including those that use Windows and Linux operating systems, as well as VMWare instances, the advisory said. Its sophisticated features allow its affiliates to customize its self-propagation and adapt to the environment it encounters.
In cases where the BlackCat payload does not have administrator privileges, we have observed that it is launched via dllhost.exe, which in turn triggers a series of commands through cmd.exe. These commands may differ depending on the customized execution of the BlackCat payload by its affiliates, it added.
Black Cat ransomware leverages previously compromised user credentials to gain initial access to the victim system, noted the FBI Flash report detailing indicators of compromise (IOCs) associated with attacks involving the gang.
“Once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware,” the report said.
“Initial deployment of the malware leverages PowerShell scripts in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise,” it added.