BlackCat Ransomware Group Target Microsoft Azure Cloud Accounts

21.09.23

Threat Intelligence Alerts

In a recent attack, the cyber security company Sophos X-Ops found a new version of malicious software called Sphynx. This upgraded version, Sphynx, has some new features and was used to lock up information stored in Azure Storage accounts.

Sophos first came across this Sphynx version in March, shortly after it was released. Around May, another cyber security group, IBM-X-Force, published some information about it Sphynx. During the same incident detected by Sophos, they also found that the attackers were using a tool called ExMatter to steal data.

Sophos was able to detect and respond to this recent cyber-attack in August. During their investigation, they found that the attackers had changed the Sphynx ransomware software. They added a new command called “–o” which allowed them to replace the login information stored in the software with the information they stole from the compromised computer.

The attackers managed to break into the accounts and get access to special codes needed to use Azure Storage accounts. They then encrypted this code using the base-64 encoding and added it to the ransomware program, along with some commands. This “–o” command was aimed at specific Azure Storage accounts, and they ran the same program multiple times to lock up 39 different accounts, successfully making them inaccessible.

The threat actors used several other tools during this attack to control the compromised systems. They used Chrome to access a password manager called LastPass, which the victim had installed as a browser extension. From there, they got a one-time password (OTP) to access the victim’s Sophos Central account, which is used to manage their Sophos security products.

After that, the attackers changed the security settings and turned off a feature called Tamper Protection in Sophos Central. Then, they used a unique program called “IzBEIHCMxAuKmis6.exe” with the file extension “.zk09cvt” to lock up the customer’s computers and Azure Storage accounts. They left a message on the affected computers explaining the situation.

The Sphynx software also came with a tool called ImPacket, which is available for free online. The attackers used this tool to steal login credentials and spread their attacks across computer networks.

We have created a Ransomware guide which provides information on the myths around ransomware and how to stay secure.