Munster Technological University (MTU) is the latest victim of BlackCat, a sophisticated ransomware gang which, although in operation for less than two years, has racked up hundreds of victims.
It is easy to tell who many of these victims are. Their stolen data is listed openly on BlackCat’s website which, though located on the dark web, is accessible with certain types of browsers and a minimal amount of computer knowledge.
Alongside the more than 6GB of internal files stolen from MTU are the files of energy companies, fast food chains and hotels. The hacking group has also been known to post stolen data in searchable form on the general internet.
MTU refused BlackCat’s ransom demands, meaning the criminals had little to lose by dumping the stolen data online. In the university’s case, this includes huge amounts of personal data relating to staff and students.
[ Munster Technological University cyberattack the work of sophisticated ransomware group ]
[ Munster Technological University hackers will cut their losses and walk away – cyber expert ]
BlackCat is the latest big player in the growing ransomware as a service (RaaS) market. The group is a digital gun for hire which criminals pay to target organisations on their behalf, with any ransoms divided up afterwards.
It is an attractive option for traditional criminal groups looking to make easy money. Experts believe BlackCat will carry out attacks in exchange for as little as 10 per cent of the eventual ransom.
MTU is declining to disclose the size of the ransom demand its received but BlackCat has been known to ask for up to €1.5 million in some cases.
In order to gain access to victims’ computer systems, BlackCat often pays other hackers who have already detected vulnerabilities in their defences. In some cases, these “vendors” are disgruntled former employees of the target who are eager to settle a score.
It is the same modus operandi as Conti, the group which carried out the devastating Health Service Executive cyberattack almost two years ago. But BlackCat also has some new tricks which are causing cybersecurity experts serious concern.
[ Data stolen in HSE cyberattack included staff financial details ]
Like the HSE attackers, BlackCat uses a two-pronged approach. Hackers lock the computer systems of their targets before threatening to publish their confidential data if a ransom is not paid.
But BlackCat goes a step further. It also threatens to direct Denial of Service (DoS) attacks against victims’ websites to force them to pay up. This involves marshalling thousands of bots to access the site at the same time, causing it to crash. It is not known if this was a factor in the MTU attack.
It also uses a modern programming language to infiltrate its target, one which is adept at evading many current cyber defences.
“The ransomware it uses is pretty advanced. It’s much more versatile,” said cybersecurity expert Maciej Makowski, a former member of the Garda cybercrime unit.
The gang will sometimes even taunt employees of a target, telling them their info has been leaked online, with the intention of increasing pressure on the target to pay the ransom.
BlackCat, whose members are based in Russia and other former Soviet Union countries, claims it does not target hospitals and medical institutions.
[ Cost of HSE cyberattack rises to €80m, letter shows ]
According to Makowski, this is probably just a public relations claim. BlackCat will likely attack whoever they are hired to target. It has already targeted multiple heathcare organisations in the US.
One of the reasons BlackCat is such a formidable threat is it is made up of hackers from Darkside and Revile, two of the most prolific ransomware organisations of recent years.
ReVile was dismantled by Russian police in January of last year, leading some members to transfer to BlackCat. According to some, Russia was after the group’s technology so it could be utilised against Ukraine.
The attack on MTU seems to be the first big attempt by BlackCat to extort an Irish institution. Given the gang’s rate of activity to date, it is unlikely to be the last.
