Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups

A Recorded Future analyst interviewed a member of the hack group behind the BlackCat (ALPHV) ransomware, who confirmed that ALPHV is linked to notorious groups such as BlackMatter and DarkSide.

Let me remind you that the unusual ransomware ALPHV (aka BlackCat and BC.a Noberus) written in Rust was discovered by researchers at the end of last year. Even then, experts noted that the creator of ALPHV was probably previously a member of the well-known hacker group REvil, and the new malware is a “very complex” encryptor.

Back at the end of 2021, after the appearance of ALPHV, a representative of the LockBit hack group stated that ALPHV is just a rebranding of the BlackMatter/DarkSide malware.

Now, these statements have been confirmed by the ALPHV representative himself:

Partly we are all connected to gandrevil [GandCrab/REvil], blackside [BlackMatter/DarkSide], mazegreggor [Maze/Egregor], LockBit and so on, because we are “advertising”. “Adverting” writes software, “advertising” chooses the brand name, the entire affiliate program is nothing without “advertising”. There was no rebranding or mixing of valuable personnel, because we are not directly related to these affiliate programs. Let’s just say we borrowed their strengths and eliminated their weaknesses.

Although BlackCat operators claim in interviews that they were only BlackMatter/DarkSide partners running their own extortion business, some experts do not believe this. For example, in response to the statements of hackers, Bleeping Computer quotes Emsisoft analyst Brett Callow, who is sure that BlackMatter simply replaced the development team after Emsisoft found a vulnerability in their malware that allowed victims to restore files for free.

While ALPHV claims to be former partners of DS/BM, it’s more likely that they *are* DS/BM, just trying to distance themselves from this brand due to the reputational hit they received after a bug [we discovered] that cost their partners of several million dollars.Callow says.

Bleeping Computer journalists also note that hackers do not seem to learn from their mistakes. The fact is that the responsibility for the recent attacks on the German companies Oiltanking and Mabanaft, engaged in the transportation and storage of oil and petroleum products, lies with the operators of the BlackCat/ALPHV encryptor. These attacks once again affected the fuel supply chain and caused a lot of problems.

This is quite ironic, considering that the DarkSide group was forced to cease its activities earlier precisely after the attack on the largest pipeline operator in the United States, Colonial Pipeline, as the incident provoked interruptions in the supply of fuel and drew too much unnecessary attention to the hackers.

About the same thing happened with the BlackMatter ransomware, which experts almost immediately called the rebranding of DarkSide – law enforcement agencies confiscated the group’s servers and forced it to stop operating again.

Now, after attacking Oiltanking and Mabanaft, the faction may again be under attack for the same reason. However, in an interview with Recorded Future, the hackers said that they cannot control targets of their partner’s attacks, and try to block those who break the rules.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *