Ransomware gang on-the-rise, BlackCat (ALPHV), have been linked to previously defunct groups BlackMatter and REvil, due to their shared use of the sophisticated BlackCat malware.
The cybercriminals have already launched a number of attacks on industrial companies and universities in the U.S. and are spectated to be using some of the most advanced ransomware in circulation.
According to a recent report by the VPN provider Kaspersky, the tools and techniques used by BlackCat bear much resemblance to those used by BlackMatter — the hacking circle responsible for the 2021 Colonial Pipeline attack. This revelation shows how hard it is to wipe out the use of this rapidly advancing malware.
Who Are BlackCat — And Why Don't You Want Them Crossing Your Road?
BlackCat is a ransomware-as-a-service (RaaS) gang that has been active since December 2021. Since their inception, they've been targeting a number of global organizations by stealing sensitive data, extorting money, and threatening to launch a disrupted denial-or-service (DDoS) attack if demands aren't met.
Far from being your run-of-the-mill cyber gang, BlackCat has attracted global attention because it relies on sophisticated ransomware of the same name.
Unlike other types of ransomware, BlackCat runs on Rust, a programming language with cross-compilation capabilities. Due to these advanced capabilities, the language can run on both Windows and Linux systems. The use of Rust also makes finding encrypted files easier, while making the malware less detectable to security researchers.
But what does it actually look like to be targeted? Well, users who are targeted by BlackCat could have their files locked and be demanded to pay for their decryption. The malicious program also can rename encrypted files to align with their specific requests.
Then, if users refuse to agree to the payout fees — which commonly exceed six digits — the ransomware groups may add additional pressure by threatening to publish the compromised data publicly.
Shared Activity Links BlackCat to BlackMatter
While the actions BlackCat are taking might seem rare, this isn't the first time they've been used to target users.
The same tactics have also been used by notorious ransomware groups like BlackMatter, REvil, and DarkSide — a string of affiliate RaaS groups that have been responsible for thousands of high-profile attacks worldwide.
“After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over their niche,” said Dmitry Galov, security researcher at Kaspersky.
And this isn't just a coincidence. In Kaspersky's report “A bad luck BlackCat” released last Thursday, it was revealed that BlackCat is just the latest iteration of these groups, with the gang using near-identical tools and techniques to its predecessors.
Specifically, the research found that the new RaaS group were using a custom exfiltration tool called Fendr and a batch file called Mimikatz, both of which had been used by BlackMatter and REvil.
Additional research from Tripwire also suggests that the RaaS group's similarities may even extend to its members, with the software company finding that a number of criminals previously involved with these groups are now working with BlackCat.
How Your Business Can Avoid Bad Luck
BlackCat ransomware and similar threats cause unprecedented damage to businesses. To avoid being targeted by these breaches or to limit their impact, it's recommended that companies take note of the cybersecurity precautions below.
- Back up data routinely and store it on separate platforms, i.e. on remote servers and unplugged devices
- Educate your workforce on the best cybersecurity practices to reduce cases of employee negligence
- Change your password regularly and make sure they include numbers and special characters. You can use password managers to make this easier.
- Make sure your network is protected with antivirus software, and be sure to update these programs regularly.
- Encrypt important files, i.e., ones that included sensitive or personally identifiable information (PPI) using open-source software.
For a more detailed breakdown of how to stay safe online, read our top tips for managing cyber threats here.