A Cisco Talos report showed that the BlackCat ransomware gang, also known as ALPHV, and the BlackMatter ransomware operation had significant similarities in tactics, techniques, and procedures, The Hacker News reports.
While a BlackCat representative denied that the group was a mere BlackMatter rebrand, it was revealed that the gang was composed of affiliates linked to other ransomware-as-a-service groups. "BlackCat seems to be a case of vertical business expansion. In essence, it's a way to control the upstream supply chain by making a service that is key to their business (the RaaS operator) better suited for their needs and adding another source of revenue," wrote Cisco Talos researchers Caitlin Huey and Tiago Pereira.
Researchers noted the similar command-and-control address leveraged in a BlackCat attack in December and a BlackMatter attack in September suggests that BlackMatter may be one of the first groups leveraging BlackCat. "As we have seen several times before, RaaS services come and go. Their affiliates, however, are likely to simply move on to a new service. And with them, many of the TTPs are likely to persist," researchers said.
Report sheds light on BlackMatter, BlackCat ransomware link
A Cisco Talos report showed that the BlackCat ransomware gang, also known as ALPHV, and the BlackMatter ransomware operation had significant similarities in tactics, techniques, and procedures.
Attackers purporting to be Royal Mail distributed malicious emails about a failed package delivery with a PDF attachment that included a link redirecting to a Dropbox-hosted ZIP file, which then facilitated the execution of Prince ransomware.
Such websites, which are operated under "AI Nude" and are advanced by black hat SEO techniques, promise the conversion of uploaded photos into deepfake nudes but display a link, which when clicked redirected to another site with the password and link to the password-protected Dropbox-hosted archive that contains the infostealer malware.
Both iOS and Android devices have been targeted with attacks involving the fake app dubbed "SB-INT," which lured victims into manually trusting the Enterprise developer profile before triggering the registration process that would seek additional information from victims.