US-based firearms business Central Missouri Machine Guns (CMMG) Inc was allegedly attacked by BlackCat ransomware gang. The ransomware gang listed the company as a victim on their leak site.
Nothing else is known about the CMMG data breach in terms of the amount of data stolen, if a ransom was demanded, the deadline for paying a ransom, etc. website of the leading firearm manufacturer was accessible at the time of publishing this article.
CMMG, ordnance businesses, and ransomware attacks
CMMG Inc is an American firearms company founded in 2002 by John and Jeff Overstreet. It specializes in the manufacture of AR-derivative rifles and carbines.
The company recently entered into an exclusive agreement with US-based business Digital Arms to design, develop and market non-fungible tokens (NFTs) based on CMMG’s firearm models.
CMMG is the latest in the list of weapons manufacturers hit by ransomware.
Indian business Solar Industries Limited India reportedly faced a ransomware attack recently. Its subsidiary Economic Explosives Ltd (EEL) is the Indian defence ministry’s contractor for hand grenades.
Wilson Combat, a US-based custom pistol manufacturer located, disclosed a data breach in September 2022, “after an unauthorized party gained access to sensitive consumer information that was entrusted to the company”.
The National Rifle Association (NRA) was listed by the Grief ransomware gang in 2021 October as a victim. After vehemently denying for months, the right-wing gun lobby conceded in March 2022 that it was a victim of a ransomware attack.
On October 20, 2021, our sponsoring organization was victim of a ransomware attack that took our network offline for over two weeks. During that time, we were not able to access email or network files,” NRA disclosed.
BlackCat ransomware group
Also called AlphaVM, AlphaV, or ALPHV, BlackCat is known to have employed Rust-based ransomware first before other ransomware groups followed suit. Rust is a cross-platform language that allows manipulation on Linux and Windows because of its customizability across operating systems.
“Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats,” reported Microsoft.
BlackCat launches triple extortion technique to pressurize the target to pay the ransom. They first exfiltrate data using ransomware and threaten targets with a DDoS attack to jam their network with excessive traffic requests. This way, targets are forced to pay to escape the following DDoS attack.
AlphaVM has used ExMatter data exfiltration tool and Eamfo malware to steal login credentials from Veeam backup software. The group has been found to work with the member of the defunct DarkSide and BlackMatter ransomware-as-a-service (RaaS) likely to leverage networks and RaaS models.
“In the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe, which then launched the following commands below (Table 1) via cmd.exe. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment,” said the Microsoft report.
BlackCat ransomware has taken an unusual step by making its leak site public, thereby making stolen information easily accessible to anyone.
Normally, leak sites are hosted on Tor sites that restrict access to only victims, threat researchers, and other cybercriminals. The public leak site puts more pressure on victims to pay the ransom demanded by the attackers.
To attract more affiliates, BlackCat offers higher payouts of up to 90% of the ransom paid, noted a Trend Micro report. Researchers have noted that BlackCat’s aggressive efforts to recruit new affiliates through attractive payouts are a smart move in a highly competitive field.
The group has even posted ads on underground forums such as the Ransomware Anonymous Market Place (RAMP) and other Russian-speaking hacking forums to lure potential affiliates into joining its network.