Cisco Talos researchers have spotted overlaps in the tactics, techniques, and procedures (TTPs) between BlackCat and BlackMatter, indicating a robust link strong connection between the two ransomware groups.
According to the Cisco Talos findings, BlackCat first emerged on the ransomware-as-a-service (RaaS) scene in November 2021 and has since targeted several companies by exploiting vulnerabilities in the Windows system. It has been called out for being similar to BlackMatter, a short-lived ransomware family that originated from DarkSide, which made news by infiltrating the Colonial Pipeline system last year in a ransomware assault.
In an interview with the cybersecurity firm Recorded Future last month, a BlackCat spokesperson dismissed rumors that it's a rebranding of BlackMatter while noting that it's made up of affiliates linked with other RaaS groups.
"In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts (aka affiliates)," the unnamed representative stated.
"We borrowed their advantages and eliminated their disadvantages."
"BlackCat seems to be a case of vertical business expansion," Cisco Talos researchers Tiago Pereira and Caitlin Huey said. "In essence, it's a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue."
In addition, researchers uncovered multiple similarities between a BlackMatter attack in September 2021 and that of a BlackCat attack in December 2021, including the tools and file names employed, as well as a domain used to provide persistent access to the target network.
This overlapping use of the same command-and-control address suggests that a BlackMatter affiliate was likely an early adopter — possibly in the first month of operation of BlackCat, with both the attacks taking more than two weeks to reach the encryption stage.
"As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist," the researchers added.
The best way to mitigate risks is by investing in the best antivirus software, allowing for peace of mind when conducting business or sending private information. So far, the BlackCat group has targeted U.S.-based companies more than 30% of the time, so enterprises in North America are advised to be ready in case they are the next subject of attack for the ransomware group.
