Type
Incident
Actors
BlackCat
Pub. date
September 13, 2023
Initial access
Unknown
Impact
RansomOp
Observed techniques
Bucket / storage ransomware
References
https://twitter.com/SophosXOps/status/1702051378644861114https://thehackernews.com/2022/06/blackcat-ransomware-gang-targeting.html
Status
Stub
Last edited
Jun 2, 2024 8:02 AM
The threat actors gained access to the customer's Azure portal, where they obtained the Azure key required to access the storage account programmatically. The adversary encoded the keys using base-64 and inserted them into the ransomware binary with execution command lines below. The “-o” argument targets an Azure Storage account name and access key, and the same binary was executed multiple times to target 39 unique Azure Storage Accounts, resulting in successful encryption.