A new ransomware variant called BlackCat has been discovered that targets Azure storage accounts and encrypts the files stored in them. The ransomware uses a custom encryption tool called Sphynx, which is written in Python and compiled into an executable file.
The BlackCat ransomware was first reported by security researcher Rui Lopes, who found a sample of the Sphynx encryptor on VirusTotal. Lopes analyzed the sample and found that it was designed to scan for Azure storage accounts and encrypt the files with a random AES key. The ransomware also appends the .blackcat extension to the encrypted files and drops a ransom note named READ_ME.txt in each affected folder.
The ransom note instructs the victims to contact the attackers via email (firstname.lastname@example.org) or Telegram (@blackcatransom) and provide their unique ID, which is generated by the Sphynx encryptor. The attackers then demand a ransom of 0.05 Bitcoin (about $2,300) for the decryption key. The note also warns the victims not to rename or modify the encrypted files, as this may result in permanent data loss.
According to Lopes, the Sphynx encryptor uses the Azure Python SDK to access the storage accounts and perform the encryption. The encryptor requires a configuration file named config.json, which contains the credentials and parameters for connecting to the Azure storage accounts. The configuration file also specifies the file extensions to be encrypted, such as .docx, .xlsx, .pdf, .jpg, .png, etc.
The Sphynx encryptor can be executed either locally or remotely, depending on how the attackers deliver it to the target system. Lopes suggested that the attackers may use phishing emails, compromised websites, or brute-force attacks to gain access to the Azure storage accounts and run the encryptor.
The BlackCat ransomware is another example of how cybercriminals are exploiting cloud services and platforms to launch their attacks. Azure storage accounts are widely used by organizations and individuals to store and share data in the cloud. However, if not properly secured, they can also expose sensitive data to unauthorized access and encryption by ransomware.
Azure security best practices
To protect your Azure storage accounts and data from ransomware attacks, you should follow some security best practices, such as:
- Enable multi-factor authentication (MFA) and strong passwords for your Azure account and users. MFA can help prevent unauthorized access to your account even if your credentials are compromised. Strong passwords can reduce the risk of brute-force attacks.
- Use role-based access control (RBAC) and Azure Active Directory (Azure AD) to manage permissions and identities for your storage accounts and resources. RBAC allows you to grant only the minimum required privileges to your users and applications. Azure AD provides identity and access management features such as conditional access, identity protection, and privileged identity management.
- Enable encryption for your storage accounts and data. Encryption can help protect your data from unauthorized access and modification. You can use Azure Storage Service Encryption (SSE) to encrypt your data at rest with Microsoft-managed keys or customer-managed keys. You can also use client-side encryption to encrypt your data before uploading it to Azure.
- Enable firewall and virtual network rules for your storage accounts. Firewall and virtual network rules can help restrict access to your storage accounts based on IP addresses or virtual networks. You can also use service endpoints or private endpoints to securely connect your storage accounts to your virtual networks.
- Enable soft delete and point-in-time restore for your storage accounts. Soft delete and point-in-time restore can help you recover your data in case of accidental deletion or corruption by ransomware. Soft delete allows you to restore deleted blobs or files within a retention period. Point-in-time restore allows you to restore an entire container or share to a previous state within a restore period.
- Monitor and audit your storage account activity and performance. Monitoring and auditing can help you detect any suspicious or anomalous behavior on your storage accounts and take appropriate actions. You can use Azure Monitor to collect and analyze metrics, logs, alerts, and diagnostics for your storage accounts. You can also use Azure Storage Analytics to track requests, transactions, availability, latency, errors, capacity, and network usage for your storage accounts.