Partners BlackMatter and REvil have assembled the BlackCat group to continue the RaaS business


During the analysis of the attacks of the BlackCat and BlackMatter cyber-extortion groups, experts have identified many similarities in their tactics, techniques and procedures (TTP), which may indicate a close relationship between them.

Although cyber extortionists often rebrand their operations when law enforcement attention to them increases, BlackCat (aka Alphv) is a kind of “supergroup” consisting of partners of various cyber extortionate groups.

BlackCat first appeared in November 2021 and has since attacked several organizations around the world. Many experts saw it as similar to BlackMatter, a cyber-extortion group that emerged on the “remains” of the infamous DarkSide, which attacked the Colonial Pipeline in May 2021.

In an interview with The Record last month, a representative of BlackCat said that rumors that the group is a new name for BlackMatter are not true. However, he noted that BlackCat consists of partners of different RaaS.

“We are partially connected with gandrevil [GandCrab/REvil], blackside [BlackMatter/DarkSide], mazegreggor [Maze/Egregor], lockbit, etc., since they were their partners. We borrowed their advantages and eliminated their disadvantages,” the representative of the group said.

According to Cisco Talos specialists, it seems that BlackCat is an example of vertical business expansion.

“In essence, this is a way to control the upstream supply chain, making the service that is key to their business (the RaaS operator) more suitable for their needs and adding another source of income,” the researchers explained.

Moreover, experts have found a number of similarities between the BlackMatter attack in September 2021 and the BlackCat attack in December 2021, including the tools and file names used, as well as the domain to maintain constant access to hacked networks.

The use of the same C&C address may indicate that the BlackMatter partner was probably one of the first to implement BlackCat, since both attacks took more than 15 days to reach the encryption stage.

“As we have seen many times, RaaS services come and go. However, their partners are most likely just switching to a new service. And many TTP are saved with them,” the researchers explained.

Start a discussion …