Microsoft published details about BlackCat ransomware, also known as ALPHV, in the same week an Italian university was added to the ransomware gang’s list of victims.
According to cyber security organization, BetterCyber, the University of Pisa was added to BlackCat’s list of victims on 11 June with the message “Let’s play, the university goes to sleep, the mafia wakes up?”
The gang have requested a US$4.5mn ransom by 16 June which will increase to US$5mn if the date is passed, according to Italian news site Cybersecurity360.
The outlet shared a screenshot of the compromised network page which appears to invite the victim to speak to the gang about the ransom via an online chatroom.
The university has not published any details about whether it paid the ransom on the date required.
Education and research organizations are known to be a top target for threat actors in the cyber space. Check Point Research has reported that in 2021 this sector experienced the highest volume of attacks with an average of 1,605 attempts per week.
BlackCat ransomware represents one of the biggest trends the industry is seeing today, which is Ransomware-as-a-Service (RaaS).
Speaking to CS Hub, Yonesy Núñez, CISO at Jack Henry & Associates, said, “The RaaS economy continues to mature.”
“Financially motivated actors make up a huge portion of the cyber-threat landscape. At present, ransomware is by far the most effective monetization strategy available to criminals. To make matters worse, Ransomware-as-a-Service makes it even easier for non-technical criminals to take part in these destructive extortion schemes.”
Microsoft first observed ALPHV in November 2021 and said it was one of the first ransomware families written in the Rust program language.
The company said that in recent incidents it has observed, the comment entry points were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers.
Microsoft lays out a number of ways in which organizations can defend against BlackCat ransomware, noting that detecting threats, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’ve deployed or the attackers they work for.
Microsoft says that organizations must shift their defensive strategies to prevent the end-to-end attack chain. Defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible.
Microsoft’s recommendations include:
- Turn on Microsoft Defender Antivirus and activate cloud-delivered protection.
- Use tools like Local Administrator Password Solution (LAPS).
- Require multifactor authentication (MFA) for local device access, RDP access, and remote connections through virtual private networks (VPNs) and Outlook Web Access.
- Turn on Microsoft Defender Firewall.
- Implement controlled folder access and set it to enabled or audit mode.
- Investigate and remediate vulnerabilities in Exchange servers.