Virtualization Technology News and Information
BlackCat, successor to BlackMatter and REvil ransomware gangs, targets corporate environments with advanced malware

Kaspersky released a new report, "A bad luck BlackCat," revealing the details of two cyber incidents conducted by the BlackCat ransomware group. The complexity of the malware used, combined with the vast experience of the actors behind it, make the gang one of the major players in today's ransomware market. The tools and techniques the group deploys during their attacks confirm the connection between BlackCat and other infamous ransomware groups, including BlackMatter and REvil.

The BlackCat ransomware gang is a threat actor that has been operating since at least December 2021. Unlike many ransomware actors, BlackCat's malware is written in Rust programming language. Thanks to Rust's advanced cross-compilation capabilities, BlackCat can target both Windows and Linux systems. Overall, BlackCat has introduced incremental advances and a shift in technologies to address the challenges of ransomware development.

The actor claims to be a successor to notorious ransomware groups like BlackMatter and REvil. Our telemetry suggests that at least some members of the new BlackCat group have direct links to BlackMatter, as they use tools and techniques that had previously been widely used by that group.

In the new report, Kaspersky researchers shed some light on two cyber-incidents of particular interest. One demonstrates the risk presented by shared cloud hosting resources and the other demonstrates an agile approach to customized malware being re-used across BlackMatter and BlackCat activity. 

The first case looks at an attack against a vulnerable ERP (enterprise resource planning) provider in the Middle East hosting multiple sites. The attackers simultaneously delivered two different executables to the same physical server, targeting two different organizations virtually hosted on it. The gang misunderstood the infected server as two different physical systems, while leaving tracks that were important for identifying BlackCat's operating style. Kaspersky researchers determined that the actor exploits the risk of shared assets across cloud resources. Additionally, in this case, the group also delivered a Mimikatz batch file along with executables and Nirsoft network password recovery utilities. A similar incident took place in 2019 when REvil, a predecessor to BlackMatter activity, appeared to penetrate a cloud service that supports a large number of dental offices in the US. It is most likely that BlackCat has also adopted some of these older tactics.

The second case involves an oil, gas, mining and construction company in South America and reveals the connection between BlackCat and BlackMatter ransomware activity. Not only did the affiliate behind this ransomware attack (which appears to be different from the one in the previously mentioned case) attempt to deliver BlackCat ransomware within the targeted network, it also preceded its delivery of the ransomware with the installation of a modified custom exfiltration utility, which we call "Fendr." This utility, which is also known as ExMatter, had previously been used exclusively as part of BlackMatter's ransomware activity.

"After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over their niche," said Dmitry Galov, security researcher at Kaspersky's Global Research and Analysis Team. "Knowledge of malware development, a new written-from-scratch sample in an unusual programming language and experience in maintaining infrastructure are turning the BlackCat group into a major player in the ransomware market. By analyzing these major incidents, we highlighted the main features, tools and techniques used by BlackCat while penetrating their victims' networks. This knowledge helps us keep our users safe and protected from known and unknown threats. We urge the cybersecurity community to join forces and work together against new cybercriminal groups for a safer future."

Learn more about the BlackCat ransomware on

Published Thursday, April 07, 2022 2:51 PM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2022>