From BlackMatter to BlackCat: Analyzing two attacks from one affiliate

  • BlackCat is a recent and growing ransomware-as-a-service (RaaS) group that targeted several organizations worldwide over the past few months.
  • There are rumors of a relationship between BlackCat and the BlackMatter/DarkSide ransomware groups, infamous for attacking the Colonial Pipeline last year. According to a BlackCat representative,
  • BlackCat is not a rebranding of BlackMatter, but its team is made from affiliates of other RaaS groups (including BlackMatter).
  • Talos has observed at least one attacker that used BlackMatter was likely one of the early adopters of BlackCat. In this post, we’ll describe these attacks and the relationship between them.
  • Understanding the techniques and tools used by RaaS affiliates helps organizations detect and prevent attacks before the ransomware itself is executed, at which point, every second means lost data.

BlackCat ransomware, also known as “ALPHV,” has quickly gained notoriety for being used in double ransom (encrypted files and stolen file disclosure) attacks against companies. It first appeared in November 2021 and, since then, several companies have been hit across the globe. However, more than 30 percent of the compromises happened to U.S.-based companies.

Read more…
Source: Talos