The BlackCat ransomware group, which uses a ransomware-as-a-service (RaaS) model, first appeared in November 2021 and has since targeted organisations all over the world, including many in the United States.
Several cybersecurity firms have discovered connections between BlackCat and the ransomware operations BlackMatter and DarkSide. The BlackCat team appears to be made up of various RaaS group affiliates, including BlackMatter, rather than being a rebranding of BlackMatter.
Kaspersky also provided information on the connection between BlackMatter and BlackCat in a blog post published on Thursday, focusing on a data exfiltration tool called Fendr and ExMatter.
Symantec described Fendr last year as a custom data exfiltration tool that allowed BlackMatter operators to easily steal valuable data from compromised systems. The tool, which was previously only seen in BlackMatter attacks, is designed to collect specific file types and upload them to the cybercriminals’ servers before deploying file-encrypting ransomware. The stolen data can then be used to put the victim under pressure to pay up.
A version of the Fendr tool was used in a recent BlackCat attack on an oil, gas, mining, and construction firm in South America. However, when compared to the tool discovered in BlackMatter attacks, this one had targeted some additional file types, specifically those commonly found in industrial settings.
It is not surprising that a ransomware gang is interested in industrial companies, and both governments and cybersecurity firms have been warning organisations that ransomware is becoming a growing threat to industrial systems.
