Researchers analyzed two recent ransomware attacks by BlackCat and BlackMatter and discovered overlaps in their TTPs. The findings show a strong connection between the two groups.

A connection between two malware families 

Researchers observed similarities between the attacks by BlackMatter in September 2021 and BlackCat in December 2021, which revealed some connection in their persistence, defense evasion, credential access, and lateral movement.
  • Some of the common TTPs include the use of reverse SSH tunnel, scheduled task, dump Isass, Impacket, RDP, psexec, group policy, and Netlogon share. 
  • Additional correlations include similar file names, use of the same C2, and the domains used to maintain persistent access. In addition, both attacks took more than 15 days to reach the encryption stage. 
  • These raise the possibility that the affiliate behind BlackMatter could be the early adopters of BlackCat.

However, one of the representatives of BlackCat had already claimed that the ransomware is not the rebranding of BlackMatter and that its affiliates are related to several RaaS groups.

The BlackCat ransomware

  • BlackCat is a growing RaaS group that has already targeted multiple organizations around the world. 
  • BlackCat operators seem to be controlling the upstream supply chain by making a service important to their business better suited for their requirements and adding an extra source of revenue.

Conclusion

It can be safely presumed that there exist vast RaaS business models wherein people maybe keep switching from one criminal enterprise to another, taking along their techniques and knowledge with them. Possibly that’s why we often see an overlap in attack infrastructure. BlackCat could be playing an important role in helping several groups come together and work as a team.
Cyware Publisher

Publisher

Cyware