As SecurityLab previously reported, partners of more non-functioning RaaS services BlackMatter and REvil have organized a new BlackCat grouping, also known as ALPHV, which is already actively attacking enterprise resource planning service providers and industrial companies.
According to the latest Kaspersky Lab report, ransomware infected “a large number of corporate victims.”
How exactly the roles are distributed in the new group, between its partners and other cybercrime services, is still unknown, said Kurt Baumgartner, senior security researcher at LC.
“Most likely, all BlackCat attacks are carried out by members of both groups who support the code and the service, and the partners do their own work. Some work can also be delegated further to access brokers and hackers from other groups,” Baumgartner explained.
As the LC specialists found out, BlackCat uses a modified version of a closed tool called Fendr (the modified version was called ExMatter), which was previously used only by BlackMatter. In particular, the “cats” used it to extract data from the networks of companies before the deployment of extortionate software in December 2021 and January 2022.
Grouping is one of the few using the popular but still sparsely distributed Rust programming language, which allows it to quickly compile tools for multiple platforms. Thanks to Rust, hackers can release one version of the tool for Windows and Linux (cross-compilation) and perform a thorough security check to reduce the number of vulnerabilities.
LC specialists have recorded BlackCat attacks on a provider of resource planning services for enterprises in the Middle East. The attackers stole her credentials and encrypted her hard drives. The second victim is an oil and gas company in South America.