BlackCat Purveyor Shows Ransomware Operators Have Nine Lives

Members of BlackMatter, and possibly REvil, have likely resurfaced in the new ransomware-as-a-service group ALPHV, whose primary tool is the BlackCat malware.

A ransomware group boasting its members come from now-shuttered groups BlackMatter and REvil have emerged from the shadows to launch a new ransomware-as-a-service, already attacking an enterprise resource planning (ERP) service provider and an industrial firm, new research shows.

The group, known as ALPHV, and its BlackCat malware have already infected “numerous corporate victims,” endpoint security firm Kaspersky said in an initial analysis posted on April 7. The operators of the new group advertise themselves as the strongest option to replace BlackMatter and REvil following international takedowns of those ransomware groups and their infrastructures. Kaspersky researchers have detected signs that at least some of the members likely had roles in a previous group, BlackMatter.

The exact division of activities between the new group, its affiliates, and other cybercriminal services is unclear, says Kurt Baumgartner, a principal security researcher at Kaspersky.

“In all likelihood, the overall set of global BlackCat incidents is performed by a mix of both the group maintaining the code and service and affiliates performing their own work,” he says. “Some of that work can be broken down further, too, into access brokers and penetration efforts performed by the individual groups.”

The analysis — and the strong hint that at least some of the operators may have been part of BlackMatter — shows that taking down ransomware groups’ infrastructure does not stop them from again setting up shop.

In the case of ALPHV, Kaspersky researchers discovered that the group used a private tool, dubbed Fendr, that has only been used by BlackMatter in the past. ALPHV used the tool to exfiltrate data from corporate victims in December 2021 and January 2022 before deploying ransomware, in a popular tactic known as double extortion.

“Our telemetry suggests that at least some members of the new BlackCat group have links to the BlackMatter group because they modified and reused a custom exfiltration tool we call Fendr and which has only been observed in BlackMatter activity,” Read more:

You can also read this: New Python-based Ransomware Targeting JupyterLab Web Notebooks

Leave a Reply

Your email address will not be published. Required fields are marked *