fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

BlackCat (ALPHV) Ransomware Linked to BlackMatter, DarkSide Gangs

BlackCat (ALPHV) Ransomware Linked to BlackMatter, DarkSide Gangs

The Black Cat ransomware gang, also known as ALPHV, has confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation.

BlackCat/ALPHV is a new feature-rich ransomware operation launched in November 2021 and developed in the Rust programming language, which is unusual for ransomware infections.

The ransomware executable is highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments.

Also Read: December 2021 PDPC Incidents and Undertaking: Lessons from the Cases

BlackCat / ALPHV encrypting a computer
BlackCat / ALPHV encrypting a computer

While the ransomware gang calls themselves ALPHV, security researcher MalwareHunterTeam named the ransomware BlackCat after the image of a black cat used on every victim’s Tor payment page.

Since then, the ransomware operation has been known as BlackCat when discussed in the media or by security researchers.

A brief history on ransomware rebrands

Many ransomware operations are run as a Ransomware-as-a-Service (RaaS), where core members are in charge of developing the ransomware infection and managing servers, while affiliates (aka “adverts”) are recruited to breach corporate networks and conduct attacks.

As part of this arrangement, the core developers earn between 10-30% of a ransom payment, while the affiliate earns the rest. The percentages change based on how much ransom revenue a particular affiliate brings to the operation.

Also Read: PDPA Compliance for the Telecommunication Sector

While there have been many RaaS operations in the past, there have been a few top-tier gangs that commonly shut down when law enforcement is breathing down their neck and then rebrand under new names.

These top-tier Ransomware-as-a-Service operations and their rebrands are:

Some believe that Conti was a rebrand of Ryuk, but sources tell BleepingComputer that they are both discrete operations run by the TrickBot Group and are not affiliated with each other.

While some affiliates tend to partner with a single RaaS operation, it is common for affiliates and penetration testers to partner with multiple gangs at once.

For example, a ransomware affiliate told BleepingComputer that they worked with Ragnar Locker, Maze, and the REvil ransomware operations simultaneously.

BlackCat rises from BlackMatter’s ashes

Since BlackCat ransomware launched in November, the representative of the LockBit ransomware gang has stated that ALPHV/BlackCat is a rebrand of DarkSide/BlackMatter.

LockBit representative stating ALPH is a DarkSide rebrand
LockBit representative stating ALPH is a DarkSide rebrand

The Record published an interview with the ALPHV/BlackCat gang, who confirmed suspicions that they were affiliated with the DarkSide/BlackMatter gang.

“As adverts of darkmatter [DarkSide / BlackMatter], we suffered from the interception of victims for subsequent decryption by Emsisoft,” ALPHV told The Record, referring to the release of Emsisoft’s decryptor.

While the BlackCat ransomware operators claim that they were only DarkSide/BlackMatter affiliates who launched their own ransomware operation, some security researchers are not buying it.

Emsisoft threat analyst Brett Callow believes BlackMatter replaced their dev team after Emsisoft exploited a weakness allowing victims to recover their files for free and losing the ransomware gang millions of dollars in ransoms.

“While Alphv claim to be former DS/BM affiliates, it’s more likely that they *are* DS/BM but attempting to distance themselves from that brand due to the reputational hit it took after making an error that cost affiliates multiple millions of dollars,” Callow tweeted yesterday.

In the past, it was possible to prove that different ransomware operations were related by looking for code similarities in the encryptor’s code. 

As the BlackCat encryptor has been built from scratch in the Rust programming language, Emsisoft’s Fabian Wosar told BleepingComputer that these coding similarities no longer exist.

However, Wosar said that there are similarities in the features and configuration files, supporting that it is the same group behind the BlackCat and the DarkSide/BlackMatter ransomware operations.

Regardless of whether they are just past affiliates who decided to launch their own ransomware operation or a rebrand of DarkSide/BlackMatter, they have shown to be able to pull off large corporate attacks and are rapidly amassing victims.

BlackCat is going to be a ransomware operation that all law enforcement, network defenders, and security professionals need to keep a close eye on.

Gang repeats their mistakes

Ironically, what led to the downfall of the DarkSide/BlackMatter operations may ultimately be what causes a quick demise for BlackCat/ALPHV.

After DarkSide attacked the Colonial Pipeline, the largest fuel pipeline in the United States, it began to feel the full pressure of international law enforcement and the US government.

This pressure continued after they rebranded as BlackMatter, with law enforcement seizing their servers and causing them to shut down again.

What may have thrust the BlackCat ransomware into the spotlight is ironically another attack on oil suppliers and distribution companies, leading to supply chain issues.

This week, BlackCat attacked Oiltanking, a German petrol distributor, and Mabanaft GmbH, an oil supplier.

These attacks once again affected the fuel supply chain and caused gas shortages.

The BlackCat operators, though, told The Record that they could not control who their affiliates attack and ban those that are non-compliant with the gang’s policies. These policies state that affiliates should not target government agencies, healthcare, or educational entities.

However, it seems that the Darkside gang didn’t learn from their previous mistakes and once again attacked critical infrastructure, which will likely place them firmly in the crosshairs of law enforcement.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us