BlackCat Ransomware-as-a-Service and VMware ESXi…Again

Airgap Networks
3 min readMay 1, 2022

--

FBI warns of BlackCat ransomware that breached Over 60 Organisations Worldwide

FBI reported Blackcat malware, a Ransomware as a service (RaaS), was released by Darkside/Blackmatter. The variant ransomware ALPHV and Noberus, are the first-ever malware written in the Rust programming language.

BlackCat’s methods include data theft prior to the encryption of client files. The hacker uses stolen credentials prior to executing their attacks. The FBI and other agencies reported the initial attack vector included exploiting an internet-facing firewall prior to encrypting on a VMware ESXi server farm.

This is yet another VMware ESXi CVE reported since 2021. The Lockbit RaaS behavior pattern is more or less the same. Read our previous blog on the CVEs and how agentless segmentation with Zero Trust can help contain and isolate ESXi host and console access.

FBI recommendations

FBI is urging organizations to review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts, take offline backups, implement network segmentation, apply software updates, and secure accounts with multi-factor authentication.

Micro-segmentation is critical to stopping Ransomware propagation

Ransomware becomes a successful breach once a single host within a network propagates laterally within the same Layer 2 network. The east-west lateral attack vector can be contained with agentless micro-segmentation with policy-based controls already established. By pre-defining the permitted port, protocol, and communication between hosts ahead of time, regardless of the malware, all east-west attacks can be prevented.

Network of One

Clients who have deployed Airgap’s agentless micro-segmentation isolation architecture have access to the pre-defined permitted policy and controls within layer 2 VLAN designed to stop the east-west propagation by isolating each host into their own network. Airgap’s policy engine proactively defined to allow only designated ports and protocols are allowed to communicate within each micro-segment, all other communications are blocked.

In case of an actual ransomware outbreak, clients can adjust their level of enforcement using Airgap’s patented Ransomware Kill Switch™ to dial-up greater security protection in real-time centralized control to stop the lateral propagation in parts of the network that need a higher level of protection.

Airgap Networks is the industry’s first Zero Trust agentless segmentation solution that works at the intersection of IT and OT to ensure your organization stays secure from external and internal threats. Based on Zero Trust principles.

Airgap’s comprehensive Zero Trust offerings form a formidable defense against adversaries. Airgap’s Secure Asset Access (SAA) solution ensures that only authenticated and multi-factor allowed (MFA) users gain access to confined resources. Airgap’s Zero Trust Isolation (ZTI) solution ensures that all your assets–modern or legacy–are protected against lateral threat movement.

Based in Santa Clara, Calif., Airgap Networks delivers an Agentless Zero Trust Segmentation platform that rings fences at every endpoint and prevents ransomware propagation. Airgap’s unique and patented Ransomware Kill Switch™ is the most potent response against ransomware threats.

Airgap offers a scalable solution for remote access using Zero Trust principles. https://airgap.io

Image source: Hacker News

--

--

Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation. https://airgap.io