Contents:
BlackCat ransomware isn’t showing signs of slowing down. The gang has released a new version of their data exfiltration tool, used for performing double-extortion attacks.
The group, considered a successor to Darkside and BlackMatter, is one of the most sophisticated and technically advanced RaaS (Ransomware-as-a-Service) operations.
New Features Added
According to BleepingComputer, the developer of BlackCat is continuously improving the malware by adding new features to it. The focus lately has been placed on “Exmatter”, the tool used for exfiltrating data. With the latest updates, the malware now can:
- Limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG.
- Add FTP as an exfiltration option in addition to SFTP and WebDav;
- Offer the option to build a report listing all processed files;
- Add “Eraser” feature giving the option to corrupt processed files;
- Add “Self-destruct” configuration option to quit and delete itself if executed in non-valid environments;
- Remove support for Socks5;
- Add option for GPO deployment.
To go with the updates, Exmatter has also undergone heavy code refactoring, thus increasing the stealthiness of the malware.
Another recent addition to the ransomware tool is “Eamfo”, a new malware which explicitly targets credentials stored in Veeam backups. Once the credentials are extracted from the Veeam SQL database, Eamfo decrypts and displays them to the threat actor. The info-stealing software has already been used by other ransomware groups such as Yanluowang and LockBit.
Constant Evolution
BlackCat has made it obvious in the last years that they are constantly on the rise regarding their operations. With new improvements, tools, and extortion strategies, the group’s RaaS operation becomes more effective and efficient.
Researchers have also spotted that ex-Conti affiliates that have moved to BlackCat/ALPHV, after the gang shut down their operations. With this shutdown, BlackCat has become stronger due to the influx of experienced attackers who were quickly able to join them and launch attacks under the new operation.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.