SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: BlackCat ransomware actor may be connected to attackers behind Colonial Pipeline shutdown
Description: BlackCat ransomware, also known as "ALPHV," has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It first appeared in November 2021 and, since then, several companies have been hit across the globe. There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative, BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter). Cisco Talos has observed at least one attacker that used BlackMatter was one of the early adopters of BlackCat. One key aspect of these attacks is that adversaries take time exploring the environment and preparing it for a successful and broad attack before launching the ransomware, at which point every second means lost data. Therefore, it is key that the attack is detected in its initial stages. The two attacks described here took over 15 days to reach the encryption stage. Knowing the attackers' tools and techniques and having monitoring and response processes in place could have prevented the successful encryption of the companies' files.
SNORT® SIDs: 58237, 58238
Title: CaddyWiper is latest malware to be connected to Ukraine war
Description: Security researchers recently discovered another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. This wiper is smaller than previous wiper attacks seen in Ukraine such as "HermeticWiper" and "WhisperGate," with a compiled size of just 9KB. The wiper discovered has the same compilation timestamp day (March 14) and initial reports suggest that it was deployed via GPO. The wiper is small and dynamically resolves most of the APIs it uses. Cisco Talos analysis did not show any indications of persistency, self-propagation or exploitation code.
SNORT® SIDs: 59268, 59269