Ransomware group BlackCat has allegedly breached the systems of NJVC, a company that provides IT infrastructure services for the U.S. federal government and the Department of Defense. It is unclear when the breach occurred and how BlackCat managed to get past NJVC’s defenses, however, the group posted about the exploit on Wednesday.
NJVC has not confirmed the breach and is yet to comment on it.
On Thursday, deep web intelligence firm DarkFeed confirmed the breach and shared screenshots from BlackCat’s website, where the group claimed to have stolen “a lot of material” from NJVC’s servers.
BlackCat urged NJVC to reach out to them, threatening to release stolen confidential data every 12 hours if the company doesn’t comply.
“We look forward to your feedback. It’s in your best interest,” the notorious ransomware group wrote.
BlackCat posted proof of the breach, but its website went offline afterward, security researchers at VX-Underground revealed early Friday. Nicholas Carroll, a cybersecurity professional with Raytheon Technologies, said BlackCat’s site appears to be online again, but NJVC’s data was removed temporarily.
BlackCat: A Looming Threat
BlackCat is also known by other names, including ALPHV and Noberus. The group is believed to be a reincarnation of notorious international ransomware cybercrime operations, BlackMatter and DarkSide, both of which have gone dark since the U.S. colonial pipeline attacks.
BlackCat’s ransomware has been used to target organizations in different sectors, including transportation, engineering, retail, telecommunication, and pharmaceuticals. In June, Microsoft became one of the high-profile victims of BlackCat after a breach of Microsoft Exchange servers.
Recently, Stairwell and Cyderes researchers found that BlackCat’s Exmatter ransomware tool has been upgraded to corrupt files on victims’ devices after securing a copy for the threat actor. This disturbing development appears to be the group’s way of ensuring victims have no option but to comply with their ransom demands.
Protecting Your Organization From Ransomware
“In the BlackCat-related incident we’ve observed, the common entry point for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers,” Microsoft’s Threat Intelligence team said in a report earlier this year.
The report noted that BlackCat ransomware variants usually exploit security lapses like compromised credentials, insufficient identity posture, vulnerable Exchange servers, insufficient access monitoring, as well as legacy configurations and misconfiguration.
According to the 2022 Allianz Risk Barometer, ransomware is the number one risk to global security. You can read more about this threat and how to strengthen your organization’s defenses in our guide to ransomware.