BlackCat Ransomware Attackers Fine-Tuning Their Malware Arsenal
Reading Time: 2 minutes

BlackCat Ransomware attackers fine-tuning their malware arsenal in a bid to remain undercover and expand their reach. 

According to Symantec, “Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software.” 

BlackCat, also goes by the name ALPHV and Noberus, and is tracked as Coreid (aka FIN7, Carbanak, or Carbon Spider). It is a rebranded successor of DarkSide and BlackMatter, their operations having been impacted by a string of high profile attacks, including that of Colonial Pipeline.

If you enlist the help of the operators, in return you will be able to receive a percentage of the ransom. The attackers are notorious for running ransomware-as-a-service, where core developers enlist helpers in order to participate in the cyber attack.

A new version of ransomware called ALPHV has been programmed with Rust. The cybercriminals evolved their tactics three months after this group was detected exploiting patched computer systems. Their tactics included the use of plumbing for hacking purposes.

The research team discovered that BlackCat Ransomware attackers are capable of indexing leaked data and making it searchable.

BlackCat Ransomware attackers are also using Exmatter as a data exfiltration tool. It generates a report of all processed files and even corrupts the files in its latest revision.

Eamfo, a malware designed to steal Veeam, is used when attacking a server. The malware allows hackers to gain more clearance and move in and out of an organization’s system.

Ransomware groups are continually adapting and refining their operations to stay effective, as long as possible. Group 88 is focusing more on data theft, rather than ransomware and cryptocurrency.

In addition, the BlackCat group is also often seen to use the Emotet malware as a method of infection. Furthermore, members of the now-defunct Conti ransomware group have joined the BlackCat group since it left the threat landscape last year.

The TTPs of Conti are being deliberately copied by a group called Monti because the originals are being sunsetted.

Near the end of last year, the developer of LockBit 3.0 leaked the tool used to create bespoke versions of their malware. This prompted concerns that more unskilled actors would abuse it.

Cybersecurity breaches have lowered the barrier for malicious actors who want to enter the space. Over the course of the past two years, targets such as LockBit and Babuk and Conti ransomware groups have suffered similar breaches, enabling malicious actors to quickly launch their own attacks.

Related Articles:
Why Does Your Business Need to Tighten Cybersecurity Rules?
Iran Blocks Whatsapp, Instagram As citizens Protest Death of Mahsa Amini
GitHub Accounts Hacked Using Fake CircleCI Notifications