In a new report – “A bad luck BlackCat” – Kaspersky researchers reveal the details of two cyber incidents conducted by the BlackCat ransomware group. The complexity of the malware being used, combined with the vast experience of the actors behind it, make the gang one of the major players in today’s ransomware market.

The tools and techniques the group deploys during their attacks confirm the connection between BlackCat and other infamous ransomware groups, such as BlackMatter and REvil.

The BlackCat ransomware gang is a threat actor that has been operating since at least December 2021. Unlike many ransomware actors, BlackCat’s malware is written in Rust programming language. Thanks to Rust’s advanced cross-compilation capabilities, BlackCat can target both Windows and Linux systems. In other words, BlackCat has introduced incremental advances and a shift in technologies used to address the challenges of ransomware development.

The actor claims to be a successor to notorious ransomware groups like BlackMatter and REvil. Kaspersky telemetry suggests that at least some members of the new BlackCat group have direct links to BlackMatter as they use tools and techniques that had previously been widely used by BlackMatter.

In the new report, Kaspersky researchers shed some light on two cyber incidents of particular interest. One demonstrates the risk presented by shared cloud hosting resources and the other demonstrates an agile approach to customised malware being re-used across BlackMatter and BlackCat activity.

The first case looks at an attack against a vulnerable ERP (enterprise resource planning) provider in the Middle East hosting multiple sites. The attackers simultaneously delivered two different executables to the same physical server, targeting two different organisations virtually hosted on there. Even though the gang misunderstood the infected server as two different physical systems, the attackers left tracks, which were important for determining BlackCat’s operating style. Kaspersky researchers determined that the actor exploits the risk of shared assets across cloud resources.

Additionally, in this case, the group also delivered a Mimikatz batch file along with executables and Nirsoft network password recovery utilities. A similar incident took place in 2019 when REvil, a predecessor to BlackMatter activity, appeared to penetrate a cloud service that supports a large number of dental offices in the US. It is most likely that BlackCat has also adopted some of these older tactics.

The second case involves an oil, gas, mining and construction company in South America and reveals the connection between BlackCat and BlackMatter ransomware activity. Not only did the affiliate behind this ransomware attack – which appears to be different from the one in the previously mentioned case – attempt to deliver BlackCat ransomware within the targeted network, but it also preceded its delivery of the ransomware with the installation of a modified custom exfiltration utility, which we call “Fendr”. This utility, which is also known as ExMatter, had previously been used exclusively as part of BlackMatter’s ransomware activity.

“After the REvil and BlackMatter groups shut down their operations, it was only a matter of time before another ransomware group took over their niche. Knowledge of malware development, a new written-from-scratch sample in an unusual programming language and experience in maintaining infrastructure are turning the BlackCat group into a major player in the ransomware market. By analysing these major incidents, we highlighted the main features, tools and techniques used by BlackCat while penetrating their victims’ networks. This knowledge helps us keep our users safe and protected from known and unknown threats. We urge the cybersecurity community to join forces and work together against new cybercriminal groups for a safer future,” says Dmitry Galov, security researcher at Kaspersky’s Global Research and Analysis Team.