In early December 2021, a new ransomware actor started advertising its services on a Russian underground forum. They presented themselves as ALPHV, a new generation Ransomware-as-a-Service (RaaS) group. Shortly afterwards, they dialed up their activity, infecting numerous corporate victims around the world. The group is also known as BlackCat.
One of the biggest differences from other ransomware actors is that BlackCat malware is written in Rust, which is unusual for malware developers. Their infrastructure websites are also developed differently from other ransomware groups. Due to Rust’s advanced cross-compilation capabilities, both Windows and Linux samples appear in the wild. In other words, BlackCat has introduced incremental advances and a shift in technologies to address the challenges of ransomware development.
The actor portrays itself as a successor to notorious ransomware groups like BlackMatter and REvil. The cybercriminals claim they have addressed all the mistakes and problems in ransomware development and created the perfect product in terms of coding and infrastructure. However, some researchers see the group not only as the successors to the BlackMatter and REvil groups, but as a complete rebranding. Our telemetry suggests that at least some members of the new BlackCat group have links to the BlackMatter group, because they modified and reused a custom exfiltration tool we call Fendr and which has only been observed in BlackMatter activity.
This use of a modified Fendr, also known as ExMatter, represents a new data point connecting BlackCat with past BlackMatter activity. The group attempted to deploy the malware extensively within organizations in December 2021 and January 2022. BlackMatter prioritized collection of sensitive information with Fendr to successfully support their scheme of double coercion. In addition, the modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to tar ..
Support the originator by clicking the read the rest link below.
