Researchers compared the TTPs of two recent ransomware outbreaks, BlackCat and BlackMatter, and observed parallels. The results reveal a substantial link between the two groups.
Research indicates similarities between BlackMatter’s September 2021 attack and BlackCat’s December 2021 attack, revealing a link in persistence, defensive evasion, credentials access, and lateral displacement.
Reverse SSH tunnelling, scheduled tasks, dump Isass, Impacket, RDP, psexec, group policy, and Netlogon sharing are all prevalent TTPs.
Similar file names, the use of the same C2, and the domains utilised to maintain persistent access are all examples of additional correlations. Furthermore, both assaults required over 15 days to complete the encryption stage.
As a result, it’s possible that the affiliate behind BlackMatter will be among the first to use BlackCat.
However, one of BlackCat’s spokespeople previously stated that the ransomware is not a rebranding of BlackMatter and that its affiliates are linked to a number of RaaS gangs.
The ransomware known as “BlackCat”
BlackCat is a rapidly expanding RaaS operation that has already attacked a number of organisations throughout the world.
BlackCat operators appear to be in control of the production flow by making a critical service better suited to their needs and earning additional cash.
Conclusion
It’s safe to assume that there are large RaaS business models in which employees transfer from one criminal company to the next, bringing their skills and experience with them. Perhaps this is why we frequently detect overlap in attack infrastructure. BlackCat could play a crucial role in bringing disparate groups together and collaborating.
