BlackCat (aka AlphaV) and BlackMatter ransomware families have been linked further by cybersecurity researchers. The former emerged as a replacement following international scrutiny last year.
In a new analysis, Kaspersky researchers found that "at least some members of the new BlackCat group have links to the BlackMatter group, because they modified and reused a custom exfiltration tool that has only been observed in BlackMatter activity," they wrote.
Additionally, Fendr was used extensively in December 2021 and January 2022 to steal data from corporate networks before encryption, a common tactic known as "double extortion," reports the New York Times.
Cisco Talos researchers discovered that BlackCat and BlackMatter ransomware share many of the same tactics, techniques, and procedures (TTPs) less than a month ago, and described the new ransomware variant as a case of "vertical business expansion."
Due to its affiliate actor status and the fact that its malware was written in the cross-compilable Rust programming language, BlackCat stands out. BlackMatter was previously deployed by BlackCat as an affiliate actor.
In addition to infrastructure and malware samples, the group also engages in ransom negotiations, the researchers found. By using BlackCat's samples, anyone with access to infected environments can infect a target.
MachineGuid and UUID are two unique keys that are generated during the installation of Windows. Once they've been retrieved, the malware proceeds to bypass User Account Control and delete shadow backups in order to begin encrypting the system.
Using a modified Fendr, known as ExMatter, "is a new data point connecting BlackCat with past BlackMatter activity," the researchers said.
As a criminal organization matures, it adapts its requirements to the target environment using a more sophisticated planning and development process, as demonstrated by the modification of this reused tool."
Post a Comment
Your suggestions and comments are welcome