Recently, BlackCat malware has emerged as one of the top ransomware threats. Read on to know more about it…
The BlackCat ransomware gang is emerging as one of the primary threat actors in the threat landscape, with a number of recent high-profile attacks.
BlackCat, also known as “ALPHV,” is a ransomware group that has been active since November and has carried out large attacks such as the disruption of OilTanking GmbH, a German fuel company, in January and the attack on aviation company Swissport in February. The ransomware group has lately claimed responsibility for attacks on Florida International University and the University of North Carolina A&T in the United States.
The FBI issued a flash alert on Wednesday about the BlackCat malware, which included indicators of compromise. According to the FBI, the ransomware group has attacked at least 60 companies around the world as of last month, often using “previously compromised user credentials” to gain access to victims’ networks.
The majority of BlackCat’s attacks, according to Matthew Radolec, senior director of incident response and cloud operations at Varonis, are based on the increasingly popular Ransomware as a Service (RaaS) concept.
Radolec said “If we if we look at 2021 to today, we do have a change that was started by REvil,”
“This concept of ransomware as a service is gaining in popularity and I think that is one of the fundamental differences. We’re talking about people that are creating a toolkit, and they are encouraging and recruiting operators almost like a SaaS company; they are offering a ransomware-as-a-service toolkit to deliver your own ransomware where they create the software for you.”
While BlackCat has not claimed as many victims as other ransomware gangs, the group is suspected of being behind some of the most damaging ransomware attacks in recent months.
According to threat detection vendor Cybereason, BlackCat employs a double extortion approach and has even used triple extortion via the threat of a DDoS attack.
Radolec sees increasing potential for BlackCat and other RaaS groups as more groups like REvil and Lapsus$ continue to be hurt by arrests.
Links with BlackMatter
Several cybersecurity firms have discovered links between BlackCat and the BlackMatter and DarkSide ransomware operations. Rather than being a rebranding of BlackMatter, the BlackCat team appears to consist of various RaaS group affiliates, including BlackMatter.
Kaspersky also provided information on the connection between BlackMatter and BlackCat in a blog post published on Thursday, focusing on a data exfiltration tool dubbed Fendr and ExMatter.
A version of the Fendr tool was used by the hackers in a recent BlackCat attack on an oil, gas, mining, and construction company in South America. However, in comparison to the malware used in BlackMatter attacks, this one had targeted a few more file types, specifically ones those commonly found in industrial environments.
Kaspersky explained “These additional file extensions are used in industrial design applications, like CAD drawings and some databases, as well as RDP configuration settings, making the tool more customized towards the industrial environments that we see being targeted by this group,”