Since its emergence in November 2021, the BlackCat ransomware gang, also known as ALPHV, has been targeting critical infrastructures in the U.S., Australia, and India. A recent discovery indicates that the ransomware has inherited this quality of targeting high-profile entities from the well-known ransomware gangs BlackMatter/DarkSide.
The connection between BlackCat, BlackMatter, and DarkSide
LockBit ransomware operators revealed that BlackCat is a DarkSide/BlackMatter rebrand. Following this, the cyber world has been split in opinions whether BlackCat is an affiliate or a rebrand of the prolific DarkSide/BlackMatter to avoid consequences.
- The Record had confirmed its suspicions that BlackCat members were affiliated with DarkSide/BlackMatter, as per an interview with BlackCat.
- Some researchers believe that BlackMatter had replaced its dev team after Emsisoft’s breakdown and lost the ransomware gang millions of dollars in ransoms.
- Although there are conflicts in opinions, it is sure that BlackCat shares similarities in features and configuration files with the DarkSide/BlackMatter ransomware operations.
- However, BlackCat’s encryptor shares no code similarities with the DarkSide/BlackMatter encryptors.
Other ransomware rebrands
In the recent past, several top-tier gangs have shut down their operations at the peak of law enforcement’s pressure and rebranded under new names.
- GandCrab and REvil: The GandCrab ransomware group had shut down in June 2019 after claiming to earn $2 billion in ransom payments. It returned as REvil in September 2019, which was ultimately shut down by law enforcement in October 2021.
- Maze to Egregor: The Maze ransomware had a lifespan from May 2019 to October 2020. However, it rebranded in September 2020 as Egregor, which later disappeared after members were arrested in Ukraine.
- DarkSide to BlackMatter: The DarkSide ransomware was enjoying the hype until May 2021 when it had to shut down due to law enforcement operations spurred by the gang's widely publicized attack on Colonial Pipeline. The group returned as BlackMatter from July 2021 to November 2021 as Emsisoft exploited a weakness to create a decryptor and servers were seized.
Conclusion
Regardless of whether the BlackCat ransomware is just a former affiliate who decided to launch their own ransomware operation or a rebrand of DarkSide/BlackMatter, the ransomware has shown immense focus and growth as it has been able to pull off large corporate attacks, against the likes of Veeam, Microsoft, Inetum Group, Moncler, and Oiltanking. As BlackCat is rapidly amassing victims, it is going to be a ransomware operation that all law enforcement, network defenders, and security professionals need to keep a close eye on.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/04ea_shutterstock_499281694.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_397419208.jpg)
