Ransomware Gang BlackCat Uses Pentesting Tool Brute Ratel as Attack Tool

Ransomware Gang BlackCat Uses Pentesting Tool Brute Ratel as Attack Tool

Series of attacks shows how cybercriminals are infecting computers worldwide via unpatched firewalls and VPN services.

A new report from Sophos X-Ops shows that the ransomware gang BlackCat has added the pentesting tool Brute Ratel to its arsenal of attack tools. BlackCat uses this to exploit unpatched or outdated firewalls and VPN services to penetrate networks and systems in various industries worldwide.

First infection via vulnerabilities of firewall providers

The BlackCat ransomware first emerged in November 2021 as a self-professed ” market leader” in the ransomware-as-a-service space and quickly attracted attention for its unusual programming language, called Rust. In some incidents, the initial infection occurred by exploiting vulnerabilities in products from various firewall vendors. One of these vulnerabilities dates back to 2018, while another was discovered last year. Once the cybercriminals penetrated the network, they were able to obtain VPN credentials stored on these firewalls. This allowed them to log in as authorised users and then use the Remote Desktop Protocol (RDP) to sneak through the systems.

As with previous BlackCat incidents, the attackers also used open-source and commercially available tools to create additional backdoors and alternative ways to remotely access the target systems. These included TeamViewer, nGrok, Cobalt Strike and Brute Ratel. “In BlackCat and other recent attacks, we have seen that threat actors are very efficient and effective. They use proven methods such as attacks on vulnerable firewalls and VPNs. However, they have also been very innovative in bypassing security measures in their attacks by switching to the newer post-exploitation C2 framework Brute Ratel,” explains Christopher Budd, senior manager, threat research at Sophos.

Attacks without a clear pattern

However, no clear pattern could be spotted in these attacks. They occurred in the US, Europe and Asia at large companies operating in different industry segments. However, the attacked companies had certain vulnerabilities in their environment that made it easier for the attackers to work. These included outdated systems that could not be updated with the latest security patches, lack of multi-level authentication for VPNs and flat networks (network of peer nodes).

“The common factor in all of these attacks is that they were easy to carry out,” Budd said. “In one case, the same BlackCat attackers installed cryptominer a month before launching the ransomware. Our recent research highlights the importance of following security best practices. They can still prevent and thwart attacks, including multiple attacks on a single network.”