An Investigation of the BlackCat Ransomware via Trend Micro Vision One

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

An Investigation of the BlackCat Ransomware via Trend Micro Vision One

Ransomware

We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service (RaaS) model.

By: Lucas Silva, Leandro Froes April 18, 2022 Read time:  ( words)

We recently investigated a case related to the BlackCat ransomware group using the Trend Micro Vision One™ platform, which comes with extended detection and response (XDR) capabilities. BlackCat (aka AlphaVM or AlphaV) is a ransomware family created in the Rust programming language and operated under a ransomware-as-a-service (RaaS) model. Our data indicates that BlackCat is primarily delivered via third-party frameworks and toolsets (for example, Cobalt Strike) and uses exploitation of exposed and vulnerable applications (for example, Microsoft Exchange Server) as an entry point. 

BlackCat has versions that work on both Windows and Linux operating systems and in VMware’s ESXi environment. In this incident, we identified the exploitation of CVE-2021-31207. This vulnerability abuses the New-MailboxExportRequest PowerShell command to export the user mailbox to an arbitrary file location, which could be used to write a web shell on the Exchange Server.

In this blog entry, we discuss the kill

Read more

Explore the site

More from the blog

Latest News