Recently, experts analyzed two ransomware attacks and found that there was an overlap in the tactics, techniques, and procedures (TTPs) of BlackCat and BlackMatter, indicating a strong connection between the two organizations.
While it's typical for ransomware organizations to reinvent operations in response to increased visibility of their attacks, BlackCat (aka Alphv) marks a new area where the cybercriminal organization was founded by affiliates of other ransomware-as-a-service (RaaS) operations.
BlackCat first appeared in November 2021 and has since targeted several organizations around the world in the past few months, and it has been dubbed similar to BlackMatter, the BlackMatter ransomware, which originated from DarkSide, and its high-profile attack on the Colonial Pipeline in May 2021 caught attention.
In an interview with Record of Record of Recorded Future last month, a Representative for BlackCat denied speculation that it was a reinvention of BlackMatter, while noting that it was made up of affiliates related to other RaaS groups.
"To some extent, we're all connected to gandrevil [GandCrab/REvil], blackside [BlackMatter/DarkSide], mazegreggor [Maze/Egregor], lockbit, etc." We borrowed from their strengths and eliminated their weaknesses. "
"BlackCat appears to be a case of vertical business expansion," says Cisco Talos researchers Tiago Pereira and Caitlin Huey, "Essentially, it's a way to control the upstream supply chain, make services that are critical to their business (RaaS operators) more suited to their needs, and add another revenue stream."
What's more, cybersecurity companies say there are some commonalities between the September 2021 BlackMatter attack and the December 2021 BlackCat attack, including the tools and file names used, as well as a domain name adopted to maintain constant access to the target network, cybersecurity companies said.
This overlapping use of the same command and control addresses raises the possibility that a branch that uses BlackMatter could be one of the early adopters of BlackCat, both of which would take more than 15 days to reach the encryption phase.
"As we've seen many times before, The RaaS service came and went. However, their affiliates may simply move to a new service. "With their arrival, many TTPs are likely to persist," the researchers said.
These findings are based on a detailed description at BlackBerry. NET's family of ransomware, called LokiLocker, not only encrypts files, but also includes an optional erase feature designed to purge all non-system files and overwrite the Master Boot Record (MBR) in case the victim refuses to pay within a specified time.
"LokiLocker, as a limited-access ransomware-as-a-service program, appears to have been sold to a relatively small number of carefully vetted affiliates, behind closed doors." Active since at least August 2021, most of the victims detected so far have been concentrated in Eastern Europe and Asia.
Note: This article is reported by E Security Compilation.