{
	"id": "85c4b274-504f-4b8f-a44f-abf059db4fa4",
	"created_at": "2026-04-06T00:08:16.508018Z",
	"updated_at": "2026-04-10T13:12:32.10437Z",
	"deleted_at": null,
	"sha1_hash": "34b3f23372b314a9cfe590799c13880a7e4c46fc",
	"title": "BlackCat ransomware implicated in attack on German oil companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55756,
	"plain_text": "BlackCat ransomware implicated in attack on German oil\r\ncompanies\r\nBy Written by Jonathan Greig, ContributorContributor Feb. 2, 2022 at 7:56 a.m. PT\r\nArchived: 2026-04-05 20:25:40 UTC\r\nAn internal report from the Federal Office for Information Security (BSI) said the BlackCat ransomware group\r\nwas behind the recent cyberattack on two German oil companies that is affecting hundreds of gas stations across\r\nnorthern Germany. \r\nZDNET Recommends\r\nGerman newspaper Handelsblatt managed to obtain the internal report that said Oiltanking's \"systems were\r\ncompromised by the BlackCat ransomware through a previously unknown gateway.\"\r\nClaudia Wagner, head of communications for Oiltanking GmbH, would not confirm that BlackCat was behind the\r\nattack but said they discovered the initial cyber incident on Saturday, January 29th. \r\n\"Upon learning of the incident, we immediately took steps to enhance the security of our systems and processes\r\nand launched an investigation into the matter. We are working to solve this issue according to our contingency\r\nplans, as well as to understand the full scope of the incident. We are undertaking a thorough investigation, together\r\nwith external specialists and are collaborating closely with the relevant authorities. All terminals continue to\r\noperate safely.\r\n\"Oiltanking Deutschland GmbH \u0026 Co. KG terminals are operating with limited capacity and have declared force\r\nmajeure. Mabanaft Deutschland GmbH \u0026 Co. KG has also declared force majeure for the majority of its inland\r\nsupply activities in Germany. All parties continue to work to restore operations to normal in all our terminals as\r\nsoon as possible.\"\r\nOn Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue.\r\nHandelsblatt said 233 gas stations across Germany now have to run some processes manually because of the\r\nattack. \r\nAlso: Apple, SonicWall, Internet Explorer vulnerabilities added to CISA list\r\nLast year, US oil giant Colonial Pipeline dealt with a devastating ransomware attack that crippled its business\r\nservices and left significant parts of the East Coast without access to gas for less than a week. The Darkside\r\nransomware group was eventually named as the culprit, and some experts believe the group has rebranded\r\nmultiple times to dodge law enforcement scrutiny. \r\nEmsisoft threat analyst Brett Callow said there are links tying Darkside to another ransomware group --\r\nBlackMatter -- which made a name for itself last summer and fall by attacking agricultural organizations. \r\nhttps://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/\r\nPage 1 of 2\n\n\"It's likely that BlackCat -- or ALPHV -- is a rebrand of BlackMatter, which was itself a rebrand of Darkside,\"\r\nCallow said. \"Intel suggests that the individuals behind the operation fired their devs after the blunder which cost\r\nthem -- and their affiliates -- multiple millions. New devs were recruited and they were responsible for the\r\ndevelopment of BlackCat.\"\r\nLast week Palo Alto Networks' Unit 42 released a deep-dive into the BlackCat ransomware, which emerged in\r\nmid-November 2021 as an innovative ransomware-as-a-service (RaaS) group leveraging the Rust programming\r\nlanguage and offering affiliates 80-90% of ransom payments.\r\nBlackCat has been seen targeting both Windows and Linux systems, according to Unit 42, which added that it has\r\nobserved affiliates asking for ransom amounts of up to $14 million. In some instances, affiliates have offered\r\ndiscounts of $9 million if the ransom is paid before the established time. They allow ransom to be paid in Bitcoin\r\nand Monero.\r\nUnit 42 found that at least 16.7% of the groups' victims were based in Germany. Last week, Italian fashion brand\r\nMoncler was revealed to be a BlackCat victim from December. \r\nscreen-shot-2022-01-27-at-6-52-14-pm.png\r\nUnit 42\r\nThe incident with Oiltanking follows another cyberattack on billion-dollar German logistics firm Hellmann\r\nWorldwide Logistics that took place in December. \r\nJames Carder, chief security officer at LogRhythm, said the attack on Oiltanking is a perfect example of how\r\ncyberattacks can go beyond just the targeted entity and disrupt the larger supply chain. \r\n\"In this case, the oil distributor supplies fuel to 26 companies in Germany, including Shell, which operates over\r\n1,900 gas stations in the country,\" Carder said. \r\n\"While the supply of fuel has not been affected in the attack, impact remains consequential with IT systems\r\nresponsible for the automation of tank loading and unloading processes, something that cannot be done manually,\r\nbeing forced offline for the time being. The 13 tank farms that Oiltanking operates cannot currently serve trucks,\r\nso the firm has turned to alternative methods. The economic impact of cyberattacks affecting the greater supply\r\nchain can prove to be extremely detrimental.\"\r\nSecurity\r\nSource: https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/\r\nhttps://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/blackcat-ransomware-implicated-in-attack-on-german-oil-companies/"
	],
	"report_names": [
		"blackcat-ransomware-implicated-in-attack-on-german-oil-companies"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434096,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34b3f23372b314a9cfe590799c13880a7e4c46fc.pdf",
		"text": "https://archive.orkl.eu/34b3f23372b314a9cfe590799c13880a7e4c46fc.txt",
		"img": "https://archive.orkl.eu/34b3f23372b314a9cfe590799c13880a7e4c46fc.jpg"
	}
}