You are here

Ransomware Roundup – BlackCat, White Rabbit, Avaddon, and Diavol

Ransomware Roundup – BlackCat, White Rabbit, Avaddon, and Diavol

Created: Thursday, January 20, 2022 - 15:39
Categories:
Cybersecurity

Ransomware threat actors continue to terrorize organizations across the world and when one group is shutdown another seemingly appears. It’s no surprise that last year saw a lot of ransomware activity. According to Digital Shadows, in the last quarter of 2021 there were 781 ransomware victims reported on data-leakage sites, a 37 percent increase compared to the previous quarter. The U.S. was the most targeted country with over 300 attacks. WaterISAC has compiled a roundup of the more notable ransomware developments of the week.

BlackCat Ransomware. BlackCat ransomware is one of the latest ransomware groups, first appearing in late November. The group operates via a RaaS (Ransomware-as-a-Service) model and has payloads written in Rust. BlackCat typically infects a target by a third-party toolset, like Cobalt Strike or by exposed applications. The threat actors use double extortion on their victims. To analyze BlackCat script requires an “access token,” this anti-analysis tactic is similar to the ransomware group Egregor’s tactics. Read more Sentinel Labs.

White Rabbit. Another new ransomware family is White Rabbit. This variant was first observed in an attack against a U.S. bank in December 2021. Although researchers believe White Rabbit is likely still in the development phase, it is still considered a threat. The ransomware is highly targeted and uses double extortion methods. White Rabbit also emulates the Egregor ransomware by using anti-analysis measures to obfuscate its malware techniques. Finally, it’s possible the APT group FIN8 are behind this new ransomware. Read more at Trend Micro.

AVADDON. The AVADDON ransomware family was a pernicious strain, first seen in June 2020, that compromised multiple critical targets, but apparently ceased operations in June 2021. Researchers at Mandiant believe the threat actor may have rebranded themselves into other families to grab market share within the RaaS model. Based on observed TTPs, researchers assess that AVADDON may have rebranded as the BLACKMATTER or SABBATH ransomware families. Read more at Mandiant.

Diavol. See the FBI FLASH: Indicators of Compromise Associated with Diavol Ransomware for more information.

Ransomware Prevention. As always, members are encouraged to visit CISA’s Stop Ransomware page for guidance and resources for defending and recovering from a ransomware incident.