ALPHV Ransomware Connected to BlackMatter and DarkSide
The RaaS Confirmed Suspicions About this Affiliation.
BlackCat (alternatively referred to as ALPHV) is a relatively recent ransomware-as-a-service (RaaS) operation that was discovered in December 2021 and that is set apart by a variety of unique qualities that differentiates it from other ransomware campaigns.
Ransomware-as-a-Service is an illegal ‘parent-affiliate(s)’ business architecture in which operators (i.e., the owner and/or creator of malicious software) provide tools to affiliates (i.e., customers) for the purpose of conducting ransomware attacks.
What Is ALPHV/BlackCat Ransomware?
The ransomware is entirely command-line driven, human-operated, and easily programmable, having the ability to apply a variety of encryption algorithms, spread across systems, terminate virtual machines and ESXi VMs, and automatically delete ESXi snapshots to prevent recovery.
Each ALPHV ransomware executable includes a JSON configuration file that allows for modification of extensions, ransom messages, the manner in which data is encrypted, forbidden folders/files/extensions, and the services and processes that are automatically terminated.
RUST is chosen as a modern cross-platform low-level programming language. In the console command, the project name is alphv-N(ext)G(eneration). We have made a truly new product, with a new look and approach that meets modern requirements for both a RaaS solution and high-class commercial software.
The BlackCat ransomware gang, also known as ALPHV, has acknowledged that it is comprised of former members of the famed BlackMatter/DarkSide ransomware operation.
Since the November introduction of BlackCat ransomware, the LockBit ransomware gang’s spokesman has indicated that ALPHV/BlackCat is a rebranding of DarkSide/BlackMatter.
Intelligence analyst, Dmitry Smilyanets from The Record interviewed members of the ALPHV/BlackCat gang, who acknowledged their affiliation with the DarkSide/BlackMatter group.
Dmitry Smilyanets: How should I address you: ALPHV, Alfa, or BlackCat?
ALPHV Support: As much as we would like to avoid it, the brand must exist to simplify interaction with insurance and recovery companies. Our only name is ALPHV. BlackCat was invented by The Record and BC.a Noberus by Symantec [Editor’s note: The name ‘BlackCat’ was mentioned first by MalwareHunterTeam].
DS: You came to the ransomware scene with knowledge and experience. The code, the procedures, and the timings indicate that you have ties to REvil and possibly DarkSide. Is it a rebrand or a mix of talent under a new banner?
ALPHV: In part, we are all connected to gandrevil [GandCrab / REvil], blackside [BlackMatter / DarkSide], mazegreggor [Maze / Egregor], lockbit, etc., because we are adverts [Editor’s note: advertisers or affiliates]. Adverts write software, adverts pick a brand name, a partnership program is nothing without adverts. There is no rebranding or a mix of talents because we have no direct relation to these partnership programs. Let’s just say: “We borrowed their advantages and eliminated their disadvantages.”
DS: You mentioned multiple advantages over Conti and Lockbit ransomware variants, do you recognize other ransomware groups as competitors or business partners?
ALPHV: Without exaggeration, we believe that at the moment, there is no competitive software on the market. In addition to high-quality software, for advanced partners, we provide the full range of services related to ransom — metaverse or premium concierge — call it whatever you want. We are in a different weight category, so we don’t recognize anyone, and we won’t do TikTok ransomware houses. Separately, we want to thank the media for a detailed and honest review of the malware. The results speak for themselves.
BleepingComputer notes the fact that the same factors that contributed to the collapse of the DarkSide/BlackMatter operations may eventually contribute to BlackCat/ALPHV’s death, as it seems that BlackCat targeted German fuel wholesaler Oiltanking and oil supplier Mabanaft GmbH.
The BlackCat managers disclosed the fact that they are unable to regulate who their members attack or to remove individuals who violate the gang’s standards. Affiliates are prohibited from targeting government organizations, healthcare providers, or educational institutions under these regulations.
How Can Heimdal™ Help?
Ransomware is one of today’s most widespread and severe cyber threats, with usually dangerous repercussions. Learning how to avoid it should be a top priority for any business concerned about the safety of its employees, clients, partners, assets, money, and business processes.
In the fight against ransomware, Heimdal Security provides its customers with an exceptional integrated cybersecurity suite that includes the Ransomware Encryption Protection module, which is universally compatible with any antivirus solution and is completely signature-free, ensuring superior detection and remediation of any type of ransomware, whether fileless or file-based (including the most recent ones like LockFile).
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.