The Israeli cybersecurity company, Sygnia, revealed new details about a group of hackers known as BlackCat. First active in November 2021, the group focuses on attacking high-profile multi-sector and international organizations. Sygnia investigated this suspicious activity on BlackCat’s network, which was eventually identified as a financial extortion attack that included a massive information leak.
The Sygnia team, led by Oren Biederman, a senior expert in detection and response to cyber incidents, provides a detailed, step-by-step description of all the actions performed by the BlackCat group during an attack on a customer. The researchers also provide advice for organizations and companies on how to defend themselves ahead of time against similar attacks. This is based on the defensive activity carried out for a Sygnia client that was attacked by BlackCat in 2023.
Like other hacker groups, BlackCat uses a Ransomware-as-a-Service business model, which allows its partners to leverage their tools and infrastructure for extortion attacks.
Sygnia’s preliminary investigation revealed indications of a possible ransomware attack that could result in the encryption of all corporate information. Finally, the cyberattack was stopped, through immediate actions carried out by the client’s IT team, mainly blocking all inbound and outbound traffic to and from the central network assets.
Since the hackers failed to fully execute the attack or erase any traces of evidence within the network, Sygnia’s extensive investigation resulted in unique findings regarding BlackCat operating modes, tactics, techniques, and procedures (TTP). In this case, the affected organization blocked Internet access from within the intra-organizational network, but not from the organization’s cloud environment. Because the two environments were linked via an Azure express route, the attack group maintained access to the victim’s network, bypassing the corporate firewall.
Sygnia CEO shares practical tips to avoid cyberattack
Biederman shared recent activity from Sygnia and stated “We have identified a trend of attacking large companies by attacking third parties with less strong security. This trend illustrates how critical it is for companies to carefully map the network connections with their suppliers, and limit access providers to the minimum required.
Organizations should have a predefined plan to mitigate ransomware attacks. In this case, the threat was unable to encrypt the network, as the victim was willing to immediately block Internet access as a mitigation measure. There is no doubt that blocking the Internet connectivity of large networks is a challenging task for network managers, who at the same time have to preserve the business continuity of the company, but constant effort in this direction may make the difference.”