Blackmatter Affiliates Spreading BlackCat Ransomware
Reading Time: 2 minutes

According to security experts, Blackmatter affiliates are spreading BlackCat Ransomware. Their analysis suggests similarities in tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter were identified, showing a strong connection between the two groups.

BlackCat (aka Alphv) is at the forefront when it comes to running cybercrime built on affiliates of other ransomware-as-a-service (RaaS) operations.

The hacking group came to light in November 2021 and recently has been targeting organizations worldwide over the past few months. The current finding suggests strong similarities with BlackMatter, a ransomware family originating from DarkSide, the hacking group behind a high-profile attack on Colonial Pipeline in May 2021.

A BlackCat representative last month in an interview with The Record dismissed rumors of them rebranding BlackMatter, also mentioning its made up of affiliates associated with other RaaS groups.Blackmatter Affiliates Spreading BlackCat Ransomware-1The unnamed representative was quoted, “In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts (aka affiliates). We borrowed their advantages and eliminated their disadvantages.”

Cisco Talos researchers Tiago Pereira and Caitlin Huey said, “BlackCat seems to be a case of vertical business expansion. In essence, it’s a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue.”

The researchers have discovered similarities between a BlackMatter attack in September 2021 and that of a BlackCat attack from December 2021. This includes tools and the file names used as well as a domain employed to maintain persistent access to the target network.Blackmatter Affiliates Spreading BlackCat Ransomware-2Further use of the same command and control address has also raised suspicion of affiliates using BlackMatter, likely one of the early adopters of BlackCat. Especially with the two attacks taking around 15 days to reach the encryption stage.

The researchers added, “As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist.”

Related Articles:
Russian Cyclops Blink Botnet New version targets ASUS Routers
Lapsus$ Gang Climbing up the Success Ladder with More Victims
New Infinite Loop Bug in OpenSSL May Allow Attackers Crash Remote Servers