Attackers deploying the Noberus (aka BlackCat, ALPHV) ransomware have been using new tactics, tools, and procedures (TTPs) in recent months, making the threat more dangerous than ever.
Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software.
How does Noberus operate?
Noberus is widely believed to be a successor payload to the Darkside and BlackMatter ransomware families, which were developed by a group Symantec, by Broadcom Software, tracks as Coreid (aka FIN7, Carbon Spider). Darkside was used in the Colonial Pipeline ransomware attack in May 2021. The extreme amount of public and law enforcement attention that attack attracted led Coreid to shut down Darkside and replace it with BlackMatter.