Connect with us

Hi, what are you looking for?



Anatomy of a BlackCat Attack Through the Eyes of Incident Response

Incident response experts at Sygnia provide a detailed blow-by-blow of a BlackCat ransomware attack and share tips for survival.

LockBit Ransomware

Courageous action by defenders can prevent maximum damage from attackers.

Incident response firm Sygnia was contacted by a company to investigate suspect activity on its network. Sygnia rapidly concluded the company was experiencing a ransomware attack and was in imminent danger of having its entire environment encrypted. It recommended immediate and bold action — disconnect from the internet.

The company (which we’ll now call the victim) complied. The attack was blocked, and the attacker could neither continue to the encryption phase nor delete its trail. The attacker was BlackCat, and Sygnia now had access to the detailed history and progress of the attack – and has reported on its analysis.

It was a supply chain attack. The supplier (which we’ll now call the vendor) provided technical assistance to the victim — and the entry route for BlackCat. For reasons of customer confidentiality, Sygnia’s CEO Ram Elboim declined to give SecurityWeek the name of either the victim or the vendor. It has, however, now published a detailed analysis of the progress and outcome of the BlackCat attack.

The attack started with attempts to access the victim from the previously compromised vendor. On day one, the attackers attempted RDP and SMB logon to two of the victim’s servers. Three successful logons were achieved on one of the servers. On day two, the attacker attempted brute force authentication attacks. On day three, it successfully connected over RDP with a victim server that became the ‘pivot’ server for reconnaissance and lateral movement.

The basic history of the attack is not unfamiliar. The victim’s security controls rapidly provided alerts to anomalous activity, but the victim did not immediately recognize the alerts as serious — it’s the standard problem of alert fatigue and possible false positives.

Still on day three of the attack, the attacker rapidly consolidated its position. A cat-and-mouse game between live attackers and automated security controls began. “The ‘C:\Intel\exp.exe’ file was created on the pivot-server during the RDP session, and its execution was detected and blocked by MDE,” reports Sygnia. “An analysis of ‘exp.exe’ indicated that it is a privilege escalation tool based on the exploitation of CVE-2022-24521 – a vulnerability in the Windows Common Log File System (CLFS) driver, known to be used by several ransomware groups.”

The attacker created a new file and executed it using PowerShell. This injected malicious code into the ‘drfgui.exe’ process, which contacted a Cobalt Strike C2 server on a domain that resolved to a Cloudflare CDN. It then created a malicious file named ‘C:\Intel\svchost.exe’ on the pivot server, trying to mask the malware as benign activity.

Advertisement. Scroll to continue reading.

Reconnaissance continued with the attacker using a version of the SoftPerfect Network Scanner, searching for passwords, accessing remote folders via Windows Explorer, and ping testing network connections.

On day five, Cobalt Strike Beacon was downloaded and injected into ‘drfgui.exe’. On the same day, the attacker executed ‘BG00Q.exe’, a renamed version of AccountRestore, that performs dictionary attacks to extract passwords; and executed a Kerberoasting attack to retrieve password hashes from Active Directory.

On day six, the lateral movement second phase of the attack began. This lasted another two weeks. Numerous tools were used, including Netscan and Stowaway — an open source tool used for the creation of a chained proxy service between a series of hosts.

The bottom line, however, is that by the time the victim called on Sygnia for help, it had become a noisy battlefield. The victim knew it was under attack, and the attacker knew its presence was probably known, or at least suspected. This alone adds urgency to both sides – an urgency that Sygnia immediately recognized.

“When responding to an incident, one of the areas that should be looked at is ‘What will the attacker understand and how will they react?’ – this is one of the areas that makes IR work for professionals,” Elboim explained. “On one hand, response activities should do the maximum to contain and remediate, but on the other, they should be done carefully so that the attacker will not know that activity is taking place – or at least not fully understand the type and scope of activities that are being done.”

It was too late in this instance. “Cutting the Internet connection is a severe action that was unavoidable in this specific case, but there are many cases where we have taken a more careful approach and planned our activities so that the attacker isn’t informed of our activities, until we and the company we assist, are fully ready,” he added.

The important point here, however, is that the victim’s senior management was brave enough to take that severe action. By now, the attackers had succeeded in exfiltrating data, but had not yet commenced encryption. That encryption was blocked. It did not prevent BlackCat from attempting to extort the victim over the stolen data, and for the next three weeks the attacker attempted to do so. Details of this process are unknown, or at least undisclosed, but some inference may be deduced by the subsequent disclosure of victim data on BlackCat’s leak site.

“Attackers always exaggerate the importance of the data they steal,” Elboim said. “In this case it was not as important as they thought. If they could have continued, they would have exfiltrated more data.”

There are numerous takeaways from this case. Early and expert incident response is always advisable – but in the end, decisiveness and the courage to take drastic steps can save the day, even very late in the day. It is questionable whether the victim would have succumbed to the double extortion of system encryption and more expansive data theft, but if an attack that cannot be prevented can at least be limited to a questionable single extortion attack, survival is more likely.

Related: Change Healthcare Confirms BlackCat Ransomware Attack

Related: US Offers $10M for Info on BlackCat Ransomware Leaders

Related: BlackCat Ransomware Gang “Unseizes” Website, Vows No Limits on Targets

Related: US Gov Disrupts BlackCat Ransomware Operation, Releases Decryption Tool

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.