As part of that digital upgrade, Michigan-based Wolverine Worldwide plans to increase customer personalization and make it even more intuitive and engaging to shop and buy goods from its portfolio of brands, which also includes Keds, Sweaty Betty and Merrell.
“With so many good retailers today, consumers have many choices, so they’ve become accustomed to, and gravitate toward, better user experiences,” says Chris Hufnagel, president of Merrell, also headquartered in Michigan. “Brands that can’t create seamless experiences are going to be at a competitive disadvantage.
“If we create a lot of friction for consumers as they try to engage with us, regardless of channel, that’s not good for the long-term health of the brand,” Hufnagel adds. “In the future, the road is going to be littered with brands that didn’t make it easy for consumers.”
By moving to Azure Arc – which allows data and apps to be securely shared between on-premises hardware, a cloud or multiple clouds (multicloud) – Wolverine Worldwide and its brands say they will ensure more stock availability and faster shipping, along with other enhancements.
A consumer inspects her shipment of shoes from one of Wolverine Worldwide’s brands.
In time, the company and its brands also aim to personalize shoppers’ experiences, offering product-specific insights and individual recommendations as buyers peruse goods, enabling better informed buying decisions tailored to individual tastes.
“Think about one of our customers. Let’s call him ‘James.’ What do we know about James today?” says Dee Slater, chief information officer and senior vice president at Wolverine Worldwide. “We run our CRM (customer relationship management platform), so we know what James bought from us and if he’s returned any items. But that’s about all we know.
“In the future, as we build a data lake and a customer data platform, we’ll apply some AI (artificial intelligence) over that data, and we’ll know that James really likes the color blue,” Slater adds. “And we’ll know James is a hiker. So eventually, when James comes to our website or enters our stores, we’re going to present him with blue hiking shoes.
That innovation is part of a far larger tech transformation Wolverine is beginning under CEO and president Brendan Hoffman, who took over the top role in January 2022.
The company now known as Wolverine Worldwide was founded in Michigan in 1883. By 1903, the family business was making 300 pairs of shoes a day
The company’s digital push will invest in technology to bolster the supply chain, modernize how employees work, and enable Wolverine Worldwide and its distinct brands to scale production up or down based on seasonal or market demands, Slater says.
“We are on an overdue journey,” she says. “The move to Azure is all about supporting that initiative.”
At the same time, Wolverine Worldwide also is transitioning to RISE with SAP on Azure and the Microsoft Cloud. That offering gives companies access to an array of SAP cloud-based services, solutions and tools through a single license. Running the solution on Azure accelerates cloud journeys and helps companies combine their advanced technologies, hardware, software and databases.
And by implementing Azure Arc, Wolverine Worldwide is shifting away from legacy, on-premises platforms to nimbler, multicloud, multitenant environments. The gains in business speed and agility derived from that deployment, Slater says, will be “transformational.” One example: Azure Arc has helped employees start using data to drive their decisions, moving from “hindsight to foresight with AI and machine learning.”
Dee Slater.
That set of technologies also will help ensure that employees can continue to securely share files, communicate and collaborate in the cloud, particularly while working remotely.
“Attracting and retaining talent today is mission critical to every brand on the planet, including ours,” Slater says. “People don’t want to come to work and use an abacus. They want to move quickly, use modern, easy-to-use productivity tools, and have access to data that drives insights. They want to know they’re making a difference.
“By moving to the Azure cloud – with the speed that we’ll be getting from that shift – and by having all that data at our fingertips, we’re also attracting and retaining the talent that’s going to bring the brands farther, faster,” she adds.
Each of Wolverine Worldwide’s 13 brands has differing needs and operates in different consumer segments. For example, Sperry, founded in 1935, is the market leader in boat shoes and has also expanded into casual shoes, boots and sneakers. Harley-Davidson Footwear sells motorcycle boots plus riding-approved shoes and sneakers online and through a network of dealers. Then, in 2021, Wolverine acquired Sweaty Betty, a London-based women’s activewear retailer.
With help from Azure Arc, those brands can more quickly test and deploy business solutions while the brands’ decision makers and developers gain access to expanded and accelerated data analysis.
At Wolverine Worldwide headquarters, the company’s many brand logos are displayed.
“Some of the challenges we have working with so many brands are the various business requirements,” says Jason Miller, vice president of IT at Wolverine. “Some brands have very complex business models. Some are more international. Some have third-party joint ventures. All those different requirements – and being able to meet those from an analytics perspective – is the challenge for us here at Wolverine.
“Moving to the cloud enables us to compile all of the data pools that the brands have built up over time into one place so that all the brands can take advantage of it,” he adds.
Indeed, tapping such cross-channel opportunities is crucial, Slater says. Wolverine Worldwide will be better able to decipher, for example, which Sweaty Betty customers also buy products from Keds and Merrell. Gaining that kind of data intelligence currently takes “a lot of heavy lifting,” she explains.
Employees at Wolverine Worldwide are using more data to drive their decisions.
But when all that consumer data is safely and securely connected to the cloud, mapping that kind of customer-focused Venn diagram will be much simpler and will enable Wolverine Worldwide to specifically market to people who, say, are highly loyal to both Saucony and Sperry.
“One of the reasons we bought Sweaty Betty was not just because it’s an amazing brand, but they have consumer-focused skillsets and mindsets,” Slater says.
“How do we harness that so we can grow even faster, so we can learn that and apply it to our other brands?” Slater adds. “This is about getting our data in the cloud so we can connect in ways we have not done before, making that data even more powerful.”
Check out this Microsoft customer story to learn more about how Azure Arc is fueling innovation at Wolverine Worldwide.
Last Sunday, we showcased a massive lineup of games targeted to come to Xbox and Game Pass over the next twelve months. Today, Erin Ashley Simon and Malik Prince sat down with the teams at Bethesda, Mojang Studios, Obsidian Entertainment, Playground Games and many more talented game creators from around the world to unpack the news we shared during the Xbox & Bethesda Showcase.
We also unveiled never-before-seen gameplay for Oxide Games’ Ara: A History Untold, revealed Microsoft Flight Simulator’s release of World Update X: United States and Beechcraft Model 18, a New Aircraft in Local Legends Series. What’s more, we announced that Valheim will come to Xbox and Game Pass later this year, shared a first look at gameplay for The Texas Chainsaw Massacre and gave fans a glimpse of the Blunderdome and Halo worlds colliding in Fall Guys.
Here are some of the highlights from today’s Xbox Games Showcase: Extended show…
First Gameplay reveal of The Texas Chain Saw Massacre
Coming day one to Xbox and Windows PC with Game Pass, fans saw the first gameplay of the third-person asymmetrical horror experience The Texas Chain Saw Massacre. Based on the groundbreaking and iconic 1974 horror film, players will take on the role of one of the notorious Slaughter family to seek out, track down, and stop their guests from escaping. Alternatively, players can take on the role of the Slaughter families victims and use their wits and stealth to stay out of the Family’s reach and find the tools needed to reach freedom. Experience the mad and macabre for yourself in The Texas Chain Saw Massacre.
Valheim coming to PC Game Pass in 2022, Xbox in 2023
Coming to Xbox and Game Pass on day one, explore a beautiful, procedurally generated world as a battle-slain Norse warrior whose soul has been ferried to Valheim to slay Odin’s ancient rivals. Build, conquer, craft and survive solo or cooperatively with friends as you endeavor to bring order to the world of Valheim.
Microsoft Flight Simulator Releases World Update X: United States of America and US Territories Today and the Beechcraft Model 18, a New Aircraft in Local Legend Series
Microsoft Flight Simulator announced that World Update X: United States of America and US Territories is available free today for all players. World Update X was built with the latest high-resolution satellite and aerial imagery available. The World Update includes four handcrafted airports, 87 new points of interest, three new landing challenges, three discovery flights, and three bush trips. The update will also feature brand new 3D cities such as San Diego, CA, Albany, NY, Key Largo, FL, Seattle, WA, Olympia, WA and more. Paired with the launch of World Update X: United States, Microsoft Flight Simulator released the fifth plane in the “Local Legends” series – the Beechcraft Model 18. It is a low-wing, twin-engine utility aircraft produced by American aviation manufacturer Beech Aircraft Corporation. For more information, visit our Xbox Wire post here, and for the latest information on Microsoft Flight Simulator, stay tuned to @MSFSOfficial on Twitter.
Available now for Xbox Series X|S and Windows PCs, with Xbox Game Pass and PC Game Pass, and via Xbox Cloud Gaming.
Fall Guys welcomes the world of Halo to the Blunderdome
Fall Guys and 343 Industries are partnering to bring Master Chief and so much more to the Blunderdome with The Spartan Showdown event from June 30-July 4. With new challenges, fancy cosmetics and legendary items hitting the store as part of this event, Beans around the world can grab the goods and get into the action to raise their wardrobe levels to elite.
Only a few years ago, the idea of justice being carried out in a virtual environment was reserved for special cases or circumstances. It had been discussed as a serious alternative to daily hearings being held in the courtroom and while it demonstrated merit, this was too drastic of a change.
While navigating our way through COVID-19, courts were forced to dramatically change their well-versed practices to meet the ever-changing landscape. The courtroom has evolved from a pure physical domain to a hybrid of in-person and remote parties. Having an accessible, secure, and single source of truth, available through an integrated technology platform has never been more essential. As technical issues were solved and courtroom participants gained comfort with their new normal, hybrid courtrooms have become widely accepted and the norm and will continue to remain in some form.
A changing landscape
The continually evolving court landscape poses new and unique challenges for the judiciary and the public, demanding a great shift in court operations and administration.
How do we ensure that all parties have fair, impartial, and timely proceedings, regardless of their location?
How do we seamlessly integrate the various legacy systems across agencies, securely?
What analytical insights can we arm court administration with to navigate the historical backlog challenges?
Is this the time to build interoperability in the court system?
And it is not simply COVID-19 that is driving change. In recent decades, growing case volumes and costs, along with tightening resource constraints, have prompted courts to seek technologies that facilitate more efficient justice administration while reducing costs. That has led to a smaller number of central court hubs. More courtrooms necessarily imply greater travel and logistical costs for courts staff, judges, police and other agencies, and parties. That makes a hybrid approach to justice almost inevitable.
Microsoft’s extensive partner ecosystem has been a key component to the success and scalability of various judicial industry solutions. Learn more about modernizing court operations and see the solutions offered by our partners.
Hybrid courtroom
As court hearings become hybrid, it’s important to identify gaps in the hearing experience that technology can bridge. While hybrid court proceedings may seem straightforward, developing an experience that allows courts to simulate a physical case hearing with minimal technology interaction and distraction is key. Quoting a judge, “Invisible technology is the right technology in the courtroom.” Technology within the courtroom is there to assist the proceeding, not hinder it. What does a truly integrated platform look like? Download the LACourtConnect Update to see an example of integrated platforms in a hybrid courtroom providing enhancements to the participants experience for remote appearances, including the ability to chat with other participants, monitor courtroom proceedings before the case is called, and more.
Data analytics
Courts across the globe are inundated with growing case backlogs. Traditional methods of analyzing vast amounts of data are tedious and time-consuming. Courts are looking at how they can put AI to work to maximize the use of data and modernize and automate selected processes. Machine learning systems built on Microsoft Azure provide critical analytics to derive actionable insights and intelligible data. With Azure, court employees can use natural language processing, form recognition, speed-to-text transcription, and translation services to index, search, and analyze text, images, PDFs, and audio or video files.
At Microsoft, and with our industry partners, we are building a justice management platform to meet these challenges, creating a single source of truth for all those involved in the justice ecosystem backed by the integrity and security Microsoft builds into all our products. Join us as we explore accelerating digital justice transformation in this upcoming blog series.
Today, Microsoft is announcing that we have entered into an agreement to acquire Miburo, a cyber threat analysis and research company specializing in the detection of and response to foreign information operations.
Microsoft detects and helps customers defend against cyber threats from nation-states as part of our commitment to keep customers safe online. These efforts are underpinned by the threat intelligence we gather, publish, and use to fuel disruptions of malicious nation-state activity across a range of cyber-attack vectors.
Miburo, led by founder Clint Watts, will become part of the Customer Security and Trust organization. Working in close collaboration with the Microsoft Threat Intelligence Center, our Threat Context Analysis team, our data scientists and others, the new analysts from Miburo will enable Microsoft to expand its threat detection and analysis capabilities to address new cyber-attacks and shed light on the ways in which foreign actors use information operations in conjunction with other cyber-attacks to achieve their objectives. Miburo has become a leading expert in identification of foreign information operations. Miburo’s research teams detect and attribute malign and extremist influence campaigns across 16 languages.
With the acquisition of Miburo, we will continue our mission to take action, and to partner with others in the public and private sectors to find long-term solutions that will stop foreign adversaries from threatening public and private sector customers and, in fact, the very foundations of our democracy.
This year’s conference attendees will share the latest EdTech designed to help bridge the equitable education gap—and we sure have a lot in store.
Our expert-led sessions will cover a range of topics, so whether you’re looking for accessible reading fluency tools, resources to support social and emotional learning, or want to take a deeper dive into gamified learning, there’s plenty to explore.
Visit the Microsoft Booth #1417 for interactive demos
Here, you will find our Microsoft Learn Educator Theatre and interactive demo stations where you can connect with product experts and get hands-on experience with top classroom tools like Minecraft: Education Edition, Microsoft MakeCode, Office 365, and more!
Visit the Microsoft Content Room (Room 265/6) for content sessions
Drop by the Microsoft Content Room (Room 265/6) to hear from educators who use Microsoft solutions to transform learning. With over 20 sessions to choose from, you’ll have your pick of engaging content that will leave you inspired and excited for the next school year. Here’s a sneak peek at just a few sessions:
Tuesday, June 28, 2022, 8:30–9:25 AM CST
Critical Thinking and The Web: Why search is the most important skill we are not teaching
In this session, learn why the process of searching for information, and then validating it, has become an international crisis. Find out how you can help students and teachers perform a well-executed search that is followed by a framework for validating that information. This could be one of the most important sessions you attend.
Presenter: Holly Clark from the Infused Classroom
Wednesday, June 29, 2022, 8:30–9:25 AM CST
A Statewide Approach to K-12 Computer Science with ‘Coding in Minecraft’ (Prodigy Learning)
North Carolina has partnered with Microsoft and Prodigy Learning to provide all middle school students in the state access to the award-winning ‘Coding in Minecraft’ computer science credential solution. Join this interactive discussion to learn about this coordinated statewide approach to Computer Science to using Minecraft as an immersive innovative solution!
Presenters: Dr. Mary Hemphill from North Carolina Department of Public Instruction, Andrew Flood from Prodigy Learning
Wednesday, June 29, 2022, 9:30–10:25 AM CST
Inclusion, Accessibility, Culture, Language & More: Meet the Needs of All Learners with Flipgrid
Learn how to leverage built-in Flipgrid features to connect, engage, empower, and amplify your community.
Presenters: Yaritza Villalba, Fely Garcia Lopez, Elizabeth Schmuhl, Virginia Nguyen from Flipgrid
(Pro tip: Attend one of the above sessions and you’ll walk away with one of our exclusive fanny packs!)
Spotlight on Solutions Sessions
Sit in on conferences highlighting how school leaders and experts found answers to challenges in their communities with the assistance of Microsoft tools.
Hurricanes, Floods, and Pandemics, Oh My! How digital transformation allowed one school district to beat the odds
Presented by Stephen Taylor and Jeff Pittman from Onslow County School District
Monday, June 27, 2022, 11:00 AM–12:00 PM CST
Learn how one North Carolina school district stayed the course of digital transformation despite facing multiple natural disasters before the COVID-19 pandemic. You’ll also hear how the school’s consistent use of Microsoft Teams implemented greater student achievement.
5 Things Every Microsoft Educator Should Know About Hyperdocs
Presented by Holly Clark from the Infused Classroom and Lisa Highfill from HyperDocs
Tuesday, June 28, 2022, 11:00 AM–12:00 PM CST
Discover the five things to know and understand about HyperDocs to create powerful blended learning experiences with Microsoft Word, PowerPoint and Teams. Watch student work come to life while working inside of a HyperDoc.
Celebrate the MIE Community
We know our Microsoft Innovative Educator (MIE) Community has been working incredibly hard, and your ability to adapt and innovate is nothing short of extraordinary. Join us for the MIE Community Celebration honoring our 2021-22 class of US MIE Experts and Incubator School Leaders, Microsoft Learning Consultants, and Microsoft Global Training Partners.
Sunday, June 26, 2022, 6:30–9:30 PM CST
Riverview Room at 600 Decatur St. 4th Level
FlipFest: An Ultimate Celebration of YOU
Kick off your ISTELive experience with an evening full of fun and community building, and an exclusive sneak peek at what’s coming next for Flipgrid. Register in advance—the first 250 sign-ups will get access to digital swag!
Monday, June 27, 2022, 7:00–9:00 PM CST
River City Ballroom at 1380 Port of New Orleans Place
With so many different offerings this year, make sure you add your favorite Microsoft content sessions to your tailored conference program here. And don’t forget to follow along on Twitter, Instagram, Facebook and LinkedIn to stay in the know during the conference.
ISTELive ‘22 is all about sharing inspiration, reimagining what’s possible with technology, and achieving more together.
On June 2, we announced and adopted principles that apply across Microsoft for employee organizing and engagement with labor organizations.
Today I want to share that we are putting these principles into practice with a ground-breaking labor neutrality agreement between the Communications Workers of America (CWA) and Microsoft. This agreement, details of which you can read in our joint press release, will apply at Activision Blizzard after the acquisition closes.
Ground-breaking agreement will enable a new approach to corporate-union engagement after Microsoft’s acquisition of Activision Blizzard closes
WASHINGTON and REDMOND, Wash. – June 13, 2022 – Today the Communications Workers of America (CWA) and Microsoft announced they have entered into a ground-breaking labor neutrality agreement. The agreement will apply at Activision Blizzard beginning 60 days after Microsoft’s acquisition closes, and it reflects a fundamental belief by both organizations that enabling workers to freely and fairly make a choice about union representation will benefit Microsoft and its employees, and create opportunities for innovation in the gaming sector.
“This agreement provides a pathway for Activision Blizzard workers to exercise their democratic rights to organize and collectively bargain after the close of the Microsoft acquisition and establishes a high road framework for employers in the games industry,” said CWA President Chris Shelton. “Microsoft’s binding commitments will give employees a seat at the table and ensure that the acquisition of Activision Blizzard benefits the company’s workers and the broader video game labor market. The agreement addresses CWA’s previous concerns regarding the acquisition, and, as a result, we support its approval and look forward to working collaboratively with Microsoft after this deal closes.”
“Earlier this month we announced a set of principles that will guide our approach to labor organizations, and the Activision Blizzard acquisition is our first opportunity to put these principles into practice,” said Microsoft President and Vice Chair Brad Smith. “We appreciate CWA’s collaboration in reaching this agreement, and we see today’s partnership as an avenue to innovate and grow together.”
The foundation of the agreement is a commitment to mutual respect and open communication. Its five basic provisions will apply to Activision Blizzard employees after close of Microsoft’s acquisition. First, Microsoft will take a neutral approach when employees covered by the agreement express interest in joining a union. Second, covered employees will be able to easily exercise their right to communicate with other employees and union representatives about union membership in a way that encourages information sharing and avoids business disruptions. Third, employees will have access to an innovative technology-supported and streamlined process for choosing whether to join a union. Fourth, employees can maintain confidentiality and privacy of that choice if they wish. Fifth, if a disagreement arises between the CWA and Microsoft under the agreement, the two organizations will work together promptly to reach an agreement and will turn to an expedited arbitration process if they cannot. The agreement does not impact the Activision workforce before the close of the transaction.
The CWA and Microsoft are also committed to exploring new and innovative efforts to collaborate, including joint opportunities for the U.S. workforce to benefit from new technology and skill building programs that will enhance the country’s competitiveness.
##
About Communications Workers of America
The Communications Workers of America (CWA) represents working people in telecommunications, customer service, media, airlines, health care, public service and education, manufacturing, tech, video games, and other fields.
About Microsoft
Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.
For more information, press only:
Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777, [email protected]om
As schools and workplaces begin resuming in-person operations, we project a permanent increase in the volume of online meetings and calls. And while communication and collaboration solutions have played a critical role in enabling continuity during these unprecedented times, early stress tests have revealed opportunities to improve and enhance meeting and call quality.
Disruptive echo effects, poor room acoustics, and choppy video are some common issues that hinder the effectiveness of online calls and meetings. Through AI and machine learning, which have become fundamental to our strategy for continual improvement, we’ve identified and are now delivering innovative enhancements in Microsoft Teams that improve such audio and video challenges in ways that are both user-friendly and scalable across environments.
Today, we’re announcing the availability of new Teams features including echo cancellation, adjusting audio in poor acoustic environments, and allowing users to speak and hear at the same time without interruptions. These build on AI-powered features recently released like expanding background noise suppression.
Voice quality improvements
Echo cancellation
During calls and meetings, when a participant has their microphone too close to their speaker, it’s common for sound to loop between input and output devices, causing an unwanted echo effect. Now, Microsoft Teams uses AI to recognize the difference between sound from a speaker and the user’s voice, eliminating the echo without suppressing speech or inhibiting the ability of multiple parties to speak at the same time.
“De-reverberation” adjusts for poor room acoustics
In specific environments, room acoustics can cause sound to bounce, or reverberate, causing the user’s voice to sound shallow as if they’re speaking within a cavern. For the first time, Microsoft Teams uses a machine learning model to convert captured audio signal to sound as if users are speaking into a close-range microphone.
Interruptibility, for more natural conversations
A natural element of conversation is the ability to interrupt for clarification or validation. This is accomplished through full-duplex (two-way) transmission of audio, allowing users to speak and hear others at the same time. When not using a headset, and especially when using devices where the speaker and microphone are very close to each other, it is difficult to remove echo while maintaining full-duplex audio. Microsoft Teams uses a model “trained” with 30,000 hours of speech samples to retain desired voices while suppressing unwanted audio signals resulting in more fluid dialogue.
Background noise suppression
Each of us has first-hand experience of a meeting disrupted by the unexpected sounds of a barking dog, a car alarm, or a slammed door. Over two years ago, we announced the release of AI-based noise suppression in Microsoft Teams as an optional feature for Windows users. Since then, we’ve continued a cycle of iterative development, testing, and evaluation to further optimize our model. After recording significant improvements across key user metrics, we have enabled machine learning-based noise suppression as default for Teams customers using Windows (including Microsoft Teams Rooms), as well as Mac and iOS users. A future release of this feature is planned for Teams Android and web clients.
These AI-driven audio enhancements are rolling out and are expected to be generally available in the coming months.
Real-time screen optimization adjusts for the content you’re sharing
The impact of presentations can often depend on an audience’s ability to read on-screen text or watch a shared video. But different types of shared content require varied approaches to ensure the highest video quality, particularly under bandwidth constraints. Teams now uses machine learning to detect and adjust the characteristics of the content presented in real-time, optimizing the legibility of documents or smoothness of video playback.
AI-based optimization ensures your video looks great, even under bandwidth constraints
Unexpected issues with network bandwidth can lead to a choppy video that can quickly shift the focus of your presentation. AI-driven optimizations in Teams help adjust playback in challenging bandwidth conditions, so presenters can use video and screen sharing worry-free.
Brightness and focus filters that put you in the best light
Though you can’t always control the surrounding lighting for your meetings, new AI-powered filters in Teams give you the option to adjust brightness and add a soft focus for your meetings with a simple toggle in your device settings, to better accommodate for low-light environments.
Microsoft Teams: Engineered for clearer audio and fewer distractions
The past two years have made clear how important communication and collaboration platforms like Microsoft Teams are to maintaining safe, connected, and productive operations. In addition to bringing new features and capabilities to Teams, we’ll continue to explore new ways to use technology to make online calling and meeting experiences more natural, resilient, and efficient.
The BlackCat ransomware, also known as ALPHV, is a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. It’s noteworthy due to its unconventional programming language (Rust), multiple target devices and possible entry points, and affiliation with prolific threat activity groups. While BlackCat’s arrival and execution vary based on the actors deploying it, the outcome is the same—target data is encrypted, exfiltrated, and used for “double extortion,” where attackers threaten to release the stolen data to the public if the ransom isn’t paid.
First observed in November 2021, BlackCat initially made headlines because it was one of the first ransomware families written in the Rust programming language. By using a modern language for its payload, this ransomware attempts to evade detection, especially by conventional security solutions that might still be catching up in their ability to analyze and parse binaries written in such language. BlackCat can also target multiple devices and operating systems. Microsoft has observed successful attacks against Windows and Linux devices and VMWare instances.
As we previously explained, the RaaS affiliate model consists of multiple players: access brokers, who compromise networks and maintain persistence; RaaS operators, who develop tools; and RaaS affiliates, who perform other activities like moving laterally across the network and exfiltrating data before ultimately launching the ransomware payload. Thus, as a RaaS payload, how BlackCat enters a target organization’s network varies, depending on the RaaS affiliate that deploys it. For example, while the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access. In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).
Such variations and adoptions markedly increase an organization’s risk of encountering BlackCat and pose challenges in detecting and defending against it because these actors and groups have different tactics, techniques, and procedures (TTPs). Thus, no two BlackCat “lives” or deployments might look the same. Indeed, based on Microsoft threat data, the impact of this ransomware has been noted in various countries and regions in Africa, the Americas, Asia, and Europe.
Human-operated ransomware attacks like those that deploy BlackCat continue to evolve and remain one of the attackers’ preferred methods to monetize their attacks. Organizations should consider complementing their security best practices and policies with a comprehensive solution like Microsoft 365 Defender, which offers protection capabilities that correlate various threat signals to detect and block such attacks and their follow-on activities.
In this blog, we provide details about the ransomware’s techniques and capabilities. We also take a deep dive into two incidents we’ve observed where BlackCat was deployed, as well as additional information about the threat activity groups that now deliver it. Finally, we offer best practices and recommendations to help defenders protect their organizations against this threat, including hunting queries and product-specific mitigations.
BlackCat’s anatomy: Payload capabilities
As mentioned earlier, BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats.
BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered.
In the instances we’ve observed where the BlackCat payload did not have administrator privileges, the payload was launched via dllhost.exe, which then launched the following commands below (Table 1) via cmd.exe. These commands could vary, as the BlackCat payload allows affiliates to customize execution to the environment.
The flags used by the attackers and the options available were the following: -s -d -f -c; –access-token; –propagated; -no-prop-servers
Figure 1. BlackCat payload deployment options
Command
Description
[service name] /stop
Stops running services to allow encryption of data
vssadmin.exe Delete Shadows /all /quiet
Deletes backups to prevent recovery
wmic.exe Shadowcopy Delete
Deletes shadow copies
wmic csproduct get UUID
Gets the Universally Unique Identifier (UUID) of the target device
Modifies the registry to change MaxMpxCt settings; BlackCat does this to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology)
for /F \”tokens=*\” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl \”%1\”
Allows remote-to-local symbolic links; a symbolic link is a file-system object (for example, a file or folder) that points to another file system object, like a shortcut in many ways but more powerful
fsutil behavior set SymlinkEvaluation R2R:1
Allows remote-to-remote symbolic links
net use \\[computer name] /user:[domain]\[user] [password] /persistent:no
Mounts network share
Table 1. List of commands the BlackCat payload can run
User account control (UAC) bypass
BlackCat can bypass UAC, which means the payload will successfully run even if it runs from a non-administrator context. If the ransomware isn’t run with administrative privileges, it runs a secondary process under dllhost.exe with sufficient permissions needed to encrypt the maximum number of files on the system.
Domain and device enumeration
The ransomware can determine the computer name of the given system, local drives on a device, and the AD domain name and username on a device. The malware can also identify whether a user has domain admin privileges, thus increasing its capability of ransoming more devices.
Self-propagation
BlackCat discovers all servers that are connected to a network. The process first broadcasts NetBIOS Name Service (NBNC) messages to check for these additional devices. The ransomware then attempts to replicate itself on the answering servers using the credentials specified within the config via PsExec.
Hampering recovery efforts
BlackCat has numerous methods to make recovery efforts more difficult. The following are commands that might be launched by the payload, as well as their purposes:
“C:\Windows\system32\cmd.exe” /c “cmd.exe /c for /F \”tokens=*\” Incorrect function. in (‘ wevtutil.exe el ‘) DO wevtutil.exe cl \”Incorrect function. \””
Slinking its way in: Identifying attacks that can lead to BlackCat ransomware
Consistent with the RaaS model, threat actors utilize BlackCat as an additional payload to their ongoing campaigns. While their TTPs remain largely the same (for example, using tools like Mimikatz and PsExec to deploy the ransomware payload), BlackCat-related compromises have varying entry vectors, depending on the ransomware affiliate conducting the attack. Therefore, the pre-ransom steps of these attacks can also be markedly different.
For example, our research noted that one affiliate that deployed BlackCat leveraged unpatched Exchange servers or used stolen credentials to access target networks. The following sections detail the end-to-end attack chains of these two incidents we’ve observed.
Case study 1: Entry via unpatched Exchange
In one incident we’ve observed, attackers took advantage of an unpatched Exchange server to enter the target organization.
Upon exploiting the Exchange vulnerability, the attackers launched the following discovery commands to gather information about the device they had compromised:
cmd.exe and the commands ver and systeminfo – to collect operating system information
net.exe – to determine domain computers, domain controllers, and domain admins in the environment
After executing these commands, the attackers navigated through directories and discovered a passwords folder that granted them access to account credentials they could use in the subsequent stages of the attack. They also used the del command to delete files related to their initial compromise activity.
The attackers then mounted a network share using net use and the stolen credentials and began looking for potential lateral movement targets using a combination of methods. First, they used WMIC.exe using the previously gathered device name as the node, launched the command whoami /all, and pinged google.com to check network connectivity. The output of the results were then written to a .log file on the mounted share. Second, the attackers used PowerShell.exe with the cmdlet Get-ADComputer and a filter to gather the last sign-in event.
Lateral movement
Two and a half days later, the attackers signed into one of the target devices they found during their initial discovery efforts using compromised credentials via interactive sign-in. They opted for a credential theft technique that didn’t require dropping a file like Mimikatz that antivirus products might detect. Instead, they opened Taskmgr.exe, created a dump file of the LSASS.exe process, and saved the file to a ZIP archive.
The attackers continued their previous discovery efforts using a PowerShell script version of ADRecon (ADRecon.ps1), which is a tool designed to gather extensive information about an Active Directory (AD) environment. The attacker followed up this action with a net scanning tool that opened connections to devices in the organization on server message block (SMB) and remote desktop protocol (RDP). For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.
These behaviors continued for days, with the attackers signing into numerous devices throughout the organization, dumping credentials, and determining what devices they could access.
Collection and exfiltration
On many of the devices the attackers signed into, efforts were made to collect and exfiltrate extensive amounts of data from the organization, including domain settings and information and intellectual property. To do this, the attackers used both MEGAsync and Rclone, which were renamed as legitimate Windows process names (for example, winlogon.exe, mstsc.exe).
Exfiltration of domain information to identify targets for lateral movement
Collecting domain information allowed the attackers to progress further in their attack because the said information could identify potential targets for lateral movement or those that would help the attackers distribute their ransomware payload. To do this, the attackers once again used ADRecon.ps1with numerous PowerShell cmdlets such as the following:
Get-ADRGPO – gets group policy objects (GPO) in a domain
Get-ADRDNSZone – gets all DNS zones and records in a domain
Get-ADRGPLink – gets all group policy links applied to a scope of management in a domain
Additionally, the attackers dropped and used ADFind.exe commands to gather information on persons, computers, organizational units, and trust information, as well as pinged dozens of devices to check connectivity.
Exfiltration for double extortion
Intellectual property theft likely allowed the attackers to threaten the release of information if the subsequent ransom wasn’t paid—a practice known as “double extortion.” To steal intellectual property, the attackers targeted and collected data from SQL databases. They also navigated through directories and project folders, among others, of each device they could access, then exfiltrated the data they found in those.
The exfiltration occurred for multiple days on multiple devices, which allowed the attackers to gather large volumes of information that they could then use for double extortion.
Encryption and ransom
It was a full two weeks from the initial compromise before the attackers progressed to ransomware deployment, thus highlighting the need for triaging and scoping out alert activity to understand accounts and the scope of access an attacker gained from their activity. Distribution of the ransomware payload using PsExec.exe proved to be the most common attack method.
Figure 3. Ransom note displayed by BlackCat upon successful infection
Case study 2: Entry via compromised credentials
In another incident we observed, we found that a ransomware affiliate gained initial access to the environment via an internet-facing Remote Desktop server using compromised credentials to sign in.
Figure 4. Observed BlackCat ransomware attack chain via stolen credentials
Lateral movement
Once the attackers gained access to the target environment, they then used SMB to copy over and launch the Total Deployment Software administrative tool, allowing remote automated software deployment. Once this tool was installed, the attackers used it to install ScreenConnect (now known as ConnectWise), a remote desktop software application.
Credential theft
ScreenConnect was used to establish a remote session on the device, allowing attackers interactive control. With the device in their control, the attackers used cmd.exe to update the Registry to allow cleartext authentication via WDigest, and thus saved the attackers time by not having to crack password hashes. Shortly later, they used the Task Manager to dump the LSASS.exe process to steal the password, now in cleartext.
Eight hours later, the attackers reconnected to the device and stole credentials again. This time, however, they dropped and launched Mimikatz for the credential theft routine, likely because it can grab credentials beyond those stored in LSASS.exe. The attackers then signed out.
Persistence and encryption
A day later, the attackers returned to the environment using ScreenConnect. They used PowerShell to launch a command prompt process and then added a user account to the device using net.exe. The new user was then added to the local administrator group via net.exe.
Afterward, the attackers signed in using their newly created user account and began dropping and launching the ransomware payload. This account would also serve as a means of additional persistence beyond ScreenConnect and their other footholds in the environment to allow them to re-establish their presence, if needed. Ransomware adversaries are not above ransoming the same organization twice if access is not fully remediated.
Chrome.exe was used to navigate to a domain hosting the BlackCat payload. Notably, the folder structure included the organization name, indicating that this was a pre-staged payload specifically for the organization. Finally, the attackers launched the BlackCat payload on the device to encrypt its data.
Ransomware affiliates deploying BlackCat
Apart from the incidents discussed earlier, we’ve also observed two of the most prolific affiliate groups associated with ransomware deployments have switched to deploying BlackCat. Payload switching is typical for some RaaS affiliates to ensure business continuity or if there’s a possibility of better profit. Unfortunately for organizations, such adoption further adds to the challenge of detecting related threats.
Microsoft tracks one of these affiliate groups as DEV-0237. Also known as FIN12, DEV-0237 is notable for its distribution of Hive, Conti, and Ryuk ransomware. We’ve observed that this group added BlackCat to their list of distributed payloads beginning March 2022. Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter’s decryption methodologies.
DEV-0504 is another active affiliate group that we’ve seen switching to BlackCat for their ransomware attacks. Like many RaaS affiliate groups, the following TTPs might be observed in a DEV-0504 attack:
Entry vector that can involve the affiliate remotely signing into devices with compromised credentials, such as into devices running software solutions that allow for remote work
The attackers’ use of their access to conduct discovery on the domain
Lateral movement that potentially uses the initial compromised account
Credential theft with tools like Mimikatz and Rubeus
DEV-0504 typically exfiltrates data on devices they compromise from the organization using a malicious tool such as StealBit—often named “send.exe” or “sender.exe”. PsExec is then used to distribute the ransomware payload. The group has been observed delivering the following ransom families before their adoption of BlackCat beginning December 2021:
BlackMatter
Conti
LockBit 2.0
Revil
Ryuk
Defending against BlackCat ransomware
Today’s ransomware attacks have become more impactful because of their growing industrialization through the RaaS affiliate model and the increasing trend of double extortion. The incidents we’ve observed related to the BlackCat ransomware leverage these two factors, making this threat durable against conventional security and defense approaches that only focus on detecting the ransomware payloads. Detecting threats like BlackCat, while good, is no longer enough as human-operated ransomware continues to grow, evolve, and adapt to the networks they’re deployed or the attackers they work for.
Instead, organizations must shift their defensive strategies to prevent the end-to-end attack chain. As noted above, while attackers’ entry points may vary, their TTPs remain largely the same. In addition, these types of attacks continue to take advantage of an organization’s poor credential hygiene and legacy configurations or misconfigurations to succeed. Therefore, defenders should address these common paths and weaknesses by hardening their networks through various best practices such as access monitoring and proper patch management. We provide detailed steps on building these defensive strategies against ransomware in this blog.
In the BlackCat-related incidents we’ve observed, the common entry points for ransomware affiliates were via compromised credentials to access internet-facing remote access software and unpatched Exchange servers. Therefore, defenders should review their organization’s identity posture, carefully monitor external access, and locate vulnerable Exchange servers in their environment to update as soon as possible. The financial impact, reputation damage, and other repercussions that stem from attacks involving ransomware like BlackCat are not worth forgoing downtime, service interruption, and other pain points related to applying security updates and implementing best practices.
Leveraging Microsoft 365 Defender’s comprehensive threat defense capabilities
Microsoft 365 Defender helps protect organizations from attacks that deliver the BlackCat ransomware and other similar threats by providing cross-domain visibility and coordinated threat defense. It uses multiple layers of dynamic protection technologies and correlates threat data from email, endpoints, identities, and cloud apps. Microsoft Defender for Endpoint detects tools like Mimikatz, the actual BlackCat payload, and subsequent attacker behavior. Threat and vulnerability management capabilities also help discover vulnerable or misconfigured devices across different platforms; such capabilities could help detect and block possible exploitation attempts on vulnerable devices, such as those running Exchange. Finally, advanced hunting lets defenders create custom detections to proactively surface this ransomware and other related threats.
Additional mitigations and recommendations
Defenders can also follow the following steps to reduce the impact of this ransomware:
Microsoft 365 Defender customers can also apply the additional mitigations below:
Turn on tamper protection in Microsoft Defender for Endpoint to prevent malicious changes to security settings. Enable network protection in Microsoft Defender for Endpoint and Microsoft 365 Defender to prevent applications or users from accessing malicious domains and other malicious content on the internet.
Ensure Exchange servers have applied the mitigations referenced in the related Threat Analytics report.
Alerts with the following titles in the security center can indicate threat activity on your network:
An active ‘BlackCat’ ransomware was detected
‘BlackCat’ ransomware was detected
BlackCat ransomware
Hunting queries
Microsoft 365 Defender
To locate possible ransomware activity, run the following queries.
Suspicious process execution in PerfLogs path
Use this query to look for processes executing in PerfLogs—a common path used to place the ransomware payloads.
DeviceProcessEvents
| where InitiatingProcessFolderPath has "PerfLogs"
| where InitiatingProcessFileName matches regex "[a-z]{3}.exe"
| extend Length = strlen(InitiatingProcessFileName)
| where Length == 7
Suspicious registry modification of MaxMpxCt parameters
Use this query to look for suspicious running processes that modify registry settings to increase the number of outstanding requests allowed (for example, SMB requests when distributing ransomware via its PsExec methodology).
DeviceProcessEvents
| where ProcessCommandLine has_all("LanmanServer", "parameters", "MaxMpxCt", "65535")
Suspicious command line indicative of BlackCat ransom payload execution
Use these queries to look for instances of the BlackCat payload executing based on a required command argument for it to successfully encrypt ‘–access-token’.
AI for Good Challenge attracts record number of student teams globally
Today, Microsoft is excited to announce the top 10 global winners of this year’s annual Imagine Cup Junior AI for Good Challenge. Thousands of students, aged 13-18, participated in the challenge to submit creative ideas to solve some of the world’s biggest issues using the power of artificial intelligence (AI). With so many amazing projects, the judges had a difficult task on their hands, and every student can be incredibly proud of what they accomplished.
Despite the continued uncertainty during a global pandemic in which some students are back in school in person while others are still learning remotely, students found creative ways to bring their teams together, innovate, and learn about AI along the way. Whether students were suggesting solutions for hardships experienced by their friends or family, issues they have read about in the news, or how to preserve the earth and create a better world for future generations, their standard of submissions was truly awe-inspiring.
“At Microsoft we’re always impressed by the creativity in the solutions submitted by the future generation of students. Every student who took part brought their heart to their projects, which really came through to all of the judges.”
– Rick Herrmann, Vice President Worldwide Public Sector Education
The top 10 global winner team names, country/regions, and project descriptions are listed below in alphabetical order:
ARISE, Nepal: ARISE is an AI- driven interactive application promoting accessibility for chemistry laboratory equipment using motion and augmented reality.
AutoCrab, Hong Kong: AutoCrab is an AI sensor to monitor and regulate water quality in hairy crab aquafarms.
Clean Up Crew, Australia: Clean Up Crew is an all-in-one AI device that collects and sorts waste materials into appropriate categories to be properly recycled.
Earthatarian, United Kingdom: Earthatarian is an AI-powered application to reduce food waste by predicting the ‘actual expiry’ of stocked food items and monitoring food consumption.
HACKRR, Philippines: WTFact is a fact-checking browser extension that utilizes AI to detect fake news and make internet users aware of online mis- and dis-information.
NeuSparks, China: NeuSparks uses Azure AI and Machine Learning to transcribe folk music recordings into digital format (MIDI) that can be easily transmitted and assist in sheet music creation and re-composition.
Sea Waste Scavengers, Indonesia: This AI concept is a ship fully powered by electricity from hydro and solar energy that tracks, locates, and captures plastic garbage and delivers it to a recycling plant.
SkyLine Humanitarian, Vietnam: This AI integrated mobile application connects hospitals and blood donors by blood type while encouraging potential new blood donors by spreading awareness.
Team Sensory Metaverse, India: Sensory Metaverse is a VR concept with a headset and a body suit that helps users not only see but feel virtual reality.
VORA, United States: VORA is a visual object recognition aid for the visually impaired.
For Microsoft, it’s inspiring to see more and more educators embracing newer technologies like AI, Azure cloud, and machine learning in the classroom, regardless of their comfort levels with technology. When teachers provide these experiences to their students, not only do students get the opportunity to learn about Microsoft’s AI for Good initiatives, they also further develop and practice modern and in-demand workplace skills like communication, collaboration, critical thinking, and creativity.
Congratulations to ALL of the students who participated this year. On behalf of Microsoft, we can’t wait to hear from you in the future and see how you continue to find creative ways to use AI to improve our world.
