[BreachExchange] BlackCat confirms BlackMatter roots, but makes an ask of the researcher community

Terrell Byrd terrell.byrd at riskbasedsecurity.com
Mon Feb 7 11:35:35 EST 2022


https://www.scmagazine.com/analysis/ransomware/blackcat-confirms-blackmatter-roots-but-makes-an-ask-of-the-researcher-community

A spokesman for the ransomware most commonly called BlackCat confirmed its
lineage as part of the Dark Side/BlackMatter family in an interview with a
threat analyst at Recorded Future, and asked that the group be referred to
by its advertised name of ALPHV. The connection to Dark Side had been
suspected since at least the beginning of the year.

BlackCat/ALPHV emerged last year, but its leaks page shows a large group of
victims, which experts believe is a sign of popularity among ransomware
affiliate hackers. It was most famously seen in breaches of two German oil
companies earlier this month that impacted more than 200 gas stations. Dark
Side was most famous for briefly shuttering Colonial Pipeline last year.

"As [designers] of darkmatter [Dark Side / BlackMatter], we suffered from
the interception of victims for subsequent decryption by Emsisoft,"
explained the spokesman, answering a question from analyst Dmitry
Smilyanets about why the ALPHV ransomware used individual domains and
access tokens for each victim.

Emsisoft had used BlackMatter's wonky communications system, which was not
unique for each victim, to find victims and give them a decryptor.

While ALPHV made several claims throughout the interview, all of which may
well be the puffery of criminals advertising its brand to potential
collaborators, there is good reason to believe in the connection between
ALPHV and Dark Side. Researchers quickly noticed design overlaps between
the groups. Earlier this week, Emsisoft's Brett Callow told SC Media he was
preparing intelligence for release that ALPHV was a rebranding of Dark Side
after the group fired its old developer team and hired a new one.

ALPHV presents itself as an entirely new group made up of the best
programmers from different defunct strains of ransomware, though Callow
says keeping the Dark Side and BlackMatter brand names at arm's length is
to maintain credibility with affiliates.

"The rebrand was driven by the reputational harm from the incompetence
resulting in Dark Side ransomware being decrypted. Plus, a portion of the
ransom paid by Colonial Pipeline was recovered, which would leave
affiliates wondering whether the operation was compromised," said Callow.

"The rebrand lets them say they are a somewhat experienced operation —
otherwise, no one would want to work with them," Callow added. "At the same
time, they don't want to admit to being BlackMatter because that was
associated with the bad things."

There is some irony that ALPHV's breakthrough incident was caused by an oil
disruption. International police pressure following the Colonial Pipeline
attack, which disrupted oil distribution on the U.S. East Coast, forced
Dark Side to shut down. It later re-emerged as BlackMatter.

Ultimately, it is not the ransomware designers who determine who the
ransomware affiliates attack. Affiliates are contractors who sometimes use
multiple brands of ransomware at a time.

ALPHV told Recorded Future it tries to curate a group of affiliates that
will abide by its policies of not attacking government, hospitals,
education or Russia's closest allies, but it was limited in what it could
do to stop it.

"We control preventively — at registration. As you can see, we do not run
an active advertising campaign and easily cut ties with non-compliant
partners, but no matter how hard we try to filter people when creating an
account — shit happens," the spokesman said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220207/8b6daad4/attachment.html>


More information about the BreachExchange mailing list