BlackCat avoids the following directories:
It avoids encrypting the following files with strings in their file name:
It also prevents the encryption of files with the following extensions:
BlackCat terminates the following processes and services:
|Initial Access||Execution||Defense Evasion||Credential Access||Discovery||Lateral Movement||Exfiltration||Impact|
T1078 - Valid Accounts
T1190 - Exploit Public-Facing Application
T1059 - Command and Scripting Interpreter
T1562.001 - Impair Defenses: Disable or Modify Tools
T1562.009 - Impair Defenses: Safe Mode Boot
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1003.001 - OS Credential Dumping: LSASS Memory
T1087 - Account Discovery
T1083 - File and Directory Discovery
T1057 - Process Discovery
T1135 - Network Share Discovery
T1016 - System Network Configuration Discovery
T1069 - Permission Groups Discovery
T1018 - Remote System Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1048 - Exfiltration Over Alternative Protocol
T1567 - Exfiltration Over Web Service
T1489 - Service stop
T1490 - Inhibit System Recovery
T1486 - Data Encrypted for Impact
T1491.001 - Defacement: Internal Defacement
Security teams should watch out for the presence of the following malware tools and exploits that are typically used in BlackCat attacks:
|Initial Access||Defense Evasion||Discovery||Credential Access||Lateral Movement||Exfiltration||Impact|
All indications of BlackCat’s malicious activities suggest that the ransomware group has predisposed itself to more aggressive attacks. Its penchant for unconventional methods, the sophistication of its techniques, and a growing affiliate base show that its operations are robust and will remain so in the future. This should give organizations more reasons to ensure that they are well informed and that they have security measures in place to ward off ransomware threats.
To protect systems against similar threats, organizations can establish security frameworks that allocate resources systematically to establish a strong defense strategy against ransomware.
Here are some best practices that organizations can consider:
A multilayered approach can help organizations guard possible entry points into their system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior, which can help protect enterprises.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.