Ransomware

BlackCat confirms BlackMatter roots, but makes an ask of the researcher community

Share
High-profile ransomware cases like the attack on Colonial Pipeline last year have got the industry’s attention. Today’s columnist, Shaun Bertrand of CBI, offers four tips on how security teams can mitigate ransomware. (Michael M. Santiago/Getty Images)

A spokesman for the ransomware most commonly called BlackCat confirmed its lineage as part of the Dark Side/BlackMatter family in an interview with a threat analyst at Recorded Future, and asked that the group be referred to by its advertised name of ALPHV. The connection to Dark Side had been suspected since at least the beginning of the year.

BlackCat/ALPHV emerged last year, but its leaks page shows a large group of victims, which experts believe is a sign of popularity among ransomware affiliate hackers. It was most famously seen in breaches of two German oil companies earlier this month that impacted more than 200 gas stations. Dark Side was most famous for briefly shuttering Colonial Pipeline last year.

"As [designers] of darkmatter [Dark Side / BlackMatter], we suffered from the interception of victims for subsequent decryption by Emsisoft," explained the spokesman, answering a question from analyst Dmitry Smilyanets about why the ALPHV ransomware used individual domains and access tokens for each victim.

Emsisoft had used BlackMatter's wonky communications system, which was not unique for each victim, to find victims and give them a decryptor.

While ALPHV made several claims throughout the interview, all of which may well be the puffery of criminals advertising its brand to potential collaborators, there is good reason to believe in the connection between ALPHV and Dark Side. Researchers quickly noticed design overlaps between the groups. Earlier this week, Emsisoft's Brett Callow told SC Media he was preparing intelligence for release that ALPHV was a rebranding of Dark Side after the group fired its old developer team and hired a new one.

ALPHV presents itself as an entirely new group made up of the best programmers from different defunct strains of ransomware, though Callow says keeping the Dark Side and BlackMatter brand names at arm's length is to maintain credibility with affiliates.

"The rebrand was driven by the reputational harm from the incompetence resulting in Dark Side ransomware being decrypted. Plus, a portion of the ransom paid by Colonial Pipeline was recovered, which would leave affiliates wondering whether the operation was compromised," said Callow.

"The rebrand lets them say they are a somewhat experienced operation — otherwise, no one would want to work with them," Callow added. "At the same time, they don't want to admit to being BlackMatter because that was associated with the bad things."

There is some irony that ALPHV's breakthrough incident was caused by an oil disruption. International police pressure following the Colonial Pipeline attack, which disrupted oil distribution on the U.S. East Coast, forced Dark Side to shut down. It later re-emerged as BlackMatter.

Ultimately, it is not the ransomware designers who determine who the ransomware affiliates attack. Affiliates are contractors who sometimes use multiple brands of ransomware at a time.

ALPHV told Recorded Future it tries to curate a group of affiliates that will abide by its policies of not attacking government, hospitals, education or Russia's closest allies, but it was limited in what it could do to stop it.

"We control preventively — at registration. As you can see, we do not run an active advertising campaign and easily cut ties with non-compliant partners, but no matter how hard we try to filter people when creating an account — shit happens," the spokesman said.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.