alswart - stock.adobe.com

BlackCat crew supposedly behind OilTanking ransomware heist

Preliminary reports from Germany’s national cyber authority indicate the recent OilTanking ransomware attack may have been the work of the BlackCat group

Investigators in Germany have fingered the BlackCat ransomware group as being behind a still-unfolding cyber attack on the systems of OilTanking, a Hamburg-based fuel distribution firm.

As previously reported by Computer Weekly, the attack began on 29 January and is affecting 13 fuel terminals in Germany. The incident has seen the automated systems used for filling tank knocked offline, meaning facility workers are having to do the job manually.

As a result, supplies to around 200 petrol stations, most of them in northern Germany, are being disrupted. OilTanking’s operations outside of Germany are unaffected.

Handelsblatt, the German newspaper that was among the first media outlets to report on the incident, has now obtained a copy of an internal document from Germany’s Federal Office for Information Security that identified the BlackCat group as the perpetrators of the attack.

OilTanking did not comment on the veracity of the document, referring to previous statements made through its corporate communications department.

The BlackCat ransomware, and the group behind it, which sometimes goes by the name ALPHV, was virtually unknown until a few months ago, according to ESET global cyber security advisor Jake Moore. However, the group now appears to be building a franchise model that potentially includes members of other crews – including, potentially, REvil operators still at large. There are also indicators it may be a rebrand of another group.

Moore said BlackCat was a particularly sophisticated ransomware. “[It] cleverly allows the attacker to customise the attack to certain employees and choose what to shut down, as well as being able to learn how to move across into other parts of the network,” he explained.

“These customisable tactics make it extremely effective in an attack and difficult to shut down. BlackCat operators are known to perform not only the standard encryption technique and data extraction, but also to include the added threat of a DDoS as well.

“This extremely sophisticated ransomware attack shows once again how important medium-sized companies can be for critical infrastructure. The fact that the malicious code used has already been known since November makes it clear how much there is still to catch up on in terms of IT security,” said Moore.

Despite its relative youth, BlackCat has rapidly emerged as a force to be reckoned with. As of December 2021, it had the seventh largest number of victims listed on its leak site among ransomware groups tracked by Palo Alto Networks’ Unit 42.

Its victims have spanned various industries, although its operators seem to prefer to target sectors such as construction, insurance and transport. The average ransom it demands currently stands at about $14m, well above the general average. BlackCat also takes an “aggressive approach” to naming and shaming its victims, according to Unit 42’s researchers.

ALPHV appears to be based out of Russia, and is notable for having written BlackCat in Rust, one of the first gangs to do so. This, said Unit 42’s Amanda Tanner, Alex Hinchcliffe and Doel Santos, gives it a distinct advantage.

“By leveraging the Rust programming language, the malware authors are able to easily compile it against various operating system architectures, which facilitates the group’s ability to pivot from one victim to the next,” they said.

Read more about attacks on CNI

Read more on Hackers and cybercrime prevention