Integrity360 Comment: Blackcat ransomware - Bandai Namco hack
July 2022 by Jonathan Earley, Cyber Threat Response Analyst, Integrity360
In light of the news the Blackcat ransomware gang has added the Japanese publisher and developer, known for Pac-man, Dragon Ball and more, to its list of victims, the comment from Jonathan Earley, Cyber Threat Response Analyst, Integrity360:
Having dealt with incident response engagements involving the Ransomware as a Service (RaaS) ALPHV/BlackCat group over the past 12 months. It is evidently clear the increased specialisation at each stage of the attack lifecycle is making defenders’ job even more difficult. In practice, this means some threat actors will aim to get highly competent in one area, such as initial access, post compromise activity or monetisation. Naturally, this can make attribution tougher because multiple independent actors could be involved in one breach.
Recently, Integrity360 observed multiple victims falling prey to an identical initial access vector being used by different threat actors over a brief period. This highlighted the likely use of an Initial Access Broker (IAB) which focuses solely on gaining a foothold into an organisation’s network by methods such as phishing, exploitation and RDP access, etc and subsequently selling this access to other groups who can then perform their own activities. Ransomware is one component of the complete operation.
Of the incidents involving BlackCat/ALPHV Integrity360 has responded to, there are some commonalities of note that blue teams should be aware of:
Immediate attempt to encrypt VMware ESXI infrastructure
In our experience, this can be devastating for many organisations because much of their estate is virtualised, additionally from the attacker’s perspective, encrypting one server can bring a victim organisation to its knees. We would recommend the following mitigations for ESXI systems:
Network segmentation for VMware ESXI and vCenter Server Management
Use Lockdown Mode in ESXI - https://kb.vmware.com/s/article/1008077
Robust backups
Enable multi-factor authentication (MFA)
Have centralised logging
Endpoint and Network Detection Capabilities
Aside from locking down ESXI, it is imperative organisations ensure their endpoint protection capabilities and coverage can detect tools such as BloodHound AD enumeration, Cobalt Strike and lateral movement Powershell scripts such as ADRecon. Furthermore, on the network side, correlation rules identifying lateral movement with PsExec and traffic to sites such as MEGAsync would be considered important.