Content, Channel partners, Content

Blackpoint Cyber Identifies BlackCat Ransomware TTPs: What MSPs, MSSPs Need to Know

Cyber Security, Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing

Blackpoint Cyber, a managed detection and response (MDR) services provider that works closely with MSPs, has discovered new tactics, techniques and procedures (TTPs) attributed to BlackCat ransomware-as-a-service (RaaS) threat actors.

In each instance, Blackpoint detected lateral movement of BlackCat threat actors across unprotected devices, the company indicated. The threat actors used T1021.001, Remote Desktop Protocol (RDP), and T1021.002, SMB/Windows Admin Shares, to infiltrate these devices and deploy malicious enterprise software.

BlackCat threat actors deployed Total Software Deployment (TSD), a remote management tool commonly used by MSSPs, MSPs, and ITSPs, during their attacks, Blackpoint said. Also, Blackpoint noted that these threat actors used ScreenConnect (a.k.a. ConnectWise Control) for remote control and lateral movement.

In addition, BlackCat threat actors exploited free versions of TSD and ScreenConnect, Blackpoint stated. TSD can be downloaded without any checks. Meanwhile, ScreenConnect only requires an end-user to provide an email address, password and name of their preferred ScreenConnect URL.

FBI Issues BlackCat Warning

Blackpoint's discovery comes after the FBI in April 2022 published a "Flash report" that detailed indicators of compromise (IOCs) associated with BlackCat attacks.

In its report, the FBI offered several recommendations to protect against BlackCat attacks, such as:

  • Review domain controllers, servers, workstations and active directories for new or unrecognized user accounts.
  • Back up data regularly and password-protect backup copies offline.
  • Use network segmentation.
  • Require administrator credentials to install software.
  • Establish a recovery plan to maintain and retain multiple copies of data and servers in a physically separate, segmented and secure location.
  • Update and patch operating systems, software and firmware frequently.
  • Utilize multi-factor authentication (MFA).

BlackCat is a ransomware family created in the Rust programming language that is delivered via third-party frameworks and toolsets. To date, cybercriminals have used BlackCat attacks to compromise at least 60 entities worldwide, the FBI indicated.

Also of note: The CISA in May 2022 issued this cyber warning to MSPs and service providers.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.

You can skip this ad in 5 seconds