Trend Micro Analyzes BlackCat Ransomware

Trend Micro shares details of an incident involving BlackCat ransomware to provide an insight into the infection sequence. The attack began with the identification of suspicious web shells on Microsoft Exchange Servers having exploited ProxyLogon and ProxyShell vulnerabilities. Activity following involved PowerShell having been spawned from Internet Information Services (IIS) worker process (w3wp.exe) to download a Cobalt Strike Beacon and a DLL file that was executed with rundll32.exe. Through process injection of Windows error reporting process, WerFault.exe the attackers initiated commands for discovery, credentials access with CrackMapExec dumping NTDS.dit and spreading laterally in the environment through SMB. Prior to ransomware execution, the attackers launched batch scripts however, the script was not captured by Trend Micro for analysis.