# Phase 1: Initial Access and Foothold (days 1 – 5). The threat actor initiated the attack by first compromising the network of a third-party vendor, utilizing a local terminal server in the client’s network as a pivot point from which to launch the attack.
# Phase 2: Lateral Movement (days 6-20). The threat actor used several remote code execution techniques and the Cobalt Strike platform, to move laterally between the victim’s on-premises domains and Azure environment through RDP and tunneled connections. .
# Phase 3: Data Exfiltration and Additional Lateral Movement (days 27-30). Using the ‘Rclone’ tool, the threat actor exfiltrated a high volume of data from local servers to a cloud file storage service called ‘Wasabi’.
# Phase 4: Extortion Attempts (days 30-45). The threat actor flooded the victim with email messages threatening to publish sensitive information if a ransom was not paid, while exaggerating the volume and sensitivity of the stolen information.
All articles related with “Blackcat” :
-
Ransomware gangs rake in more than $450 million in first half of 2024
-
New Ransomware Groups Emerge Despite Crackdowns
-
Ransomware Attack Costs loanDepot Almost $27 Million
-
Overview of Significant Cyber Attacks: July 2024 – SOCRadar® Cyber Intelligence Inc.
-
Insecure file-sharing practices in healthcare put patient privacy at risk – Help Net Security
-
[Cyware] Change Healthcare Begins to Notify Millions Affected by Hack
-
[Cyware] Russian ransomware gangs account for 69% of all ransom proceeds
-
[Cyware] Ransomware takedowns leave crims scrambling for stability
-
[Cyware] Scattered Spider chooses RansomHub, Qilin for latest attacks