California-based CR&R Environmental Services got hacked by BlackCat, weeks after Vice Society hit the orgnaisation. A threat intelligence researcher at Cyble confirmed to The Cyber Express that the BlackCat/ALPHV ransomware news leak site has listed the environmental services organisation as a target.
CR&R is a successful waste and recycling collection firm in Southern California with over 3 million clientele and serves 25,000 businesses in Orange, Los Angeles, San Bernardino, Imperial, and Riverside counties. The company also operates in Southern Arizona and Colorado, recycling over 500,000 tons of materials each year.
At the time of publishing this article, it is still unclear about the data hacked or any vulnerability was tapped.
— Dominic Alvieri (@AlvieriD) December 27, 2022
CR&R Environmental and Vice Society
On November 7, 2022, HackNotice shared an alert on its website about the ransomware attack on CR&R. The company didn’t share any exclusive report on the previous attack, and it seems the infiltration of the BlackCat threat group also went under the radar.
CR&R Incorporated was targeted by Vice Society and compromised data was published on November 6, 2022,” the Cyble researcher told The Cyber Express.
The data contains Financial Information of the company, HR & Payroll documents including PII of employees, customer Information, project documentation and other secret/confidential documents with regards to company’s operations.
Since it first came out in 2021, BlackCat has targeted enterprises in a wide range of industries, including construction, retail, manufacturing, technology, and energy, to mention a few. In 2022, a massive attack on German energy corporations heralded the group’s entry into big-game hunting.
As for Vice Society, it is a ransomware group that has been active in targeting schools and other organizations. In their attacks, they have been known to use pre-existing ransomware strains, such as HelloKitty and Zeppelin.
Vice Society and BlackCat
“Vice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications,” said a CISA alert on the ransomware gang.
Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data for double extortion–a tactic whereby actors threaten to publicly release sensitive data unless a victim pays a ransom.
The BlackCat/ALPHV ransomware attacks a system by using previously compromised user credentials to gain initial access. After gaining access, the malware then targets Active Directory user and administrator accounts to compromise them as well.
This allows the ransomware to spread within the system and potentially cause damage. It is important to be cautious when clicking on links or downloading files, and to regularly update and secure all user accounts to prevent against such attacks.
BlackCat/ALPHV steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored. The actors leverage Windows scripting to deploy ransomware and to compromise additional hosts,” said an FBI briefing on the ransomware gang.