A new ransomware variant called BlackCat has been discovered that targets Azure storage accounts and encrypts the files stored in them. The ransomware uses a custom encryption tool called Sphynx, which is written in Python and compiled into an executable file.

The BlackCat ransomware was first reported by security researcher Rui Lopes, who found a sample of the Sphynx encryptor on VirusTotal. Lopes analyzed the sample and found that it was designed to scan for Azure storage accounts and encrypt the files with a random AES key. The ransomware also appends the .blackcat extension to the encrypted files and drops a ransom note named READ_ME.txt in each affected folder.

The ransom note instructs the victims to contact the attackers via email (blackcat@tutanota.com) or Telegram (@blackcatransom) and provide their unique ID, which is generated by the Sphynx encryptor. The attackers then demand a ransom of 0.05 Bitcoin (about $2,300) for the decryption key. The note also warns the victims not to rename or modify the encrypted files, as this may result in permanent data loss.

According to Lopes, the Sphynx encryptor uses the Azure Python SDK to access the storage accounts and perform the encryption. The encryptor requires a configuration file named config.json, which contains the credentials and parameters for connecting to the Azure storage accounts. The configuration file also specifies the file extensions to be encrypted, such as .docx, .xlsx, .pdf, .jpg, .png, etc.

The Sphynx encryptor can be executed either locally or remotely, depending on how the attackers deliver it to the target system. Lopes suggested that the attackers may use phishing emails, compromised websites, or brute-force attacks to gain access to the Azure storage accounts and run the encryptor.

The BlackCat ransomware is another example of how cybercriminals are exploiting cloud services and platforms to launch their attacks. Azure storage accounts are widely used by organizations and individuals to store and share data in the cloud. However, if not properly secured, they can also expose sensitive data to unauthorized access and encryption by ransomware.

Azure security best practices

To protect your Azure storage accounts and data from ransomware attacks, you should follow some security best practices, such as: