{
	"id": "aae97163-d462-4012-b537-237b50f5ce33",
	"created_at": "2026-04-06T00:16:36.408802Z",
	"updated_at": "2026-04-10T03:33:16.000348Z",
	"deleted_at": null,
	"sha1_hash": "cde6fd43e5a795d227933413af171bcf323e9ce3",
	"title": "This is a BlackCat you don't want crossing your path",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47514,
	"plain_text": "This is a BlackCat you don't want crossing your path\r\nBy Jeff Burt\r\nPublished: 2022-03-22 · Archived: 2026-04-05 23:35:08 UTC\r\nCybersecurity researchers with Cisco have outlined probable links between the BlackMatter/DarkSide\r\nransomware ring responsible for last year's high-profile raid on the Colonial Pipeline, and an emerging\r\nransomware-as-a-service product dubbed BlackCat.\r\nIn a write-up this month, Cisco's Talos threat intelligence unit said a domain name and IP addresses used in a\r\nBlackCat infection in December had also been used in a BlackMatter ransomware deployment three months\r\nearlier.\r\nIn addition, the team outlined tools, file names, and techniques that are common to both the BlackMatter and\r\nBlackCat ransomware variants. As a ransomware-as-a-service (RaaS) operation, BlackCat can be rented by\r\ncriminal affiliates to infect and extort targets, with the malware's developers typically getting a cut of the ransom.\r\nGiven that the affiliates are individually responsible for compromising their victims' systems and deploying the\r\nactual ransomware binaries, \"it is likely that attacks carried out by the same ransomware family may differ in\r\ntechniques and procedures,\" Talos's Tiago Pereira and Caitlin Huey noted. In other words, affiliates infect victims\r\nin different ways with the same ransomware.\r\nAt the same time, RaaS operators often make training materials, general techniques, and tools available to\r\naffiliates – as shown by the documents leaked from the Conti ransomware gang – so you'd expect to see some\r\nsimilarities in the attacks carried out by these miscreants.\r\nStill, each ransomware strain should have its own command-and-control (C2) systems, and yet overlapping C2\r\nresources were seen in BlackMatter and BlackCat infections, fueling rumors of strong ties between the two. The\r\nTalos team further speculated that \"a BlackMatter affiliate was likely an early adopter – possibly in the first month\r\nof operation – of BlackCat.\"\r\nThis is interesting because it sheds some light on the interconnected networks of criminals menacing\r\norganizations. It's also useful to know what to look out for when defending against or gaining early detection of\r\nthis kind of ransomware.\r\nThose rumors of a close connection began as soon as BlackCat caught the attention of cybersecurity vendors and\r\nresearchers. The MalwareHunter Team tweeted about the ransomware group in December and other threat\r\nintelligence groups, such as S2W out of South Korea, reported similarities between some of configuration fields\r\nused by both BlackCat and BlackMatter.\r\nHowever, there also were differences. For instance, BlackCat was written in Rust, while ransomware from both\r\nDarkSide and BlackMatter – the latter a rebranded DarkSide group – were written in C/C++, S2W wrote in an\r\nanalysis.\r\nhttps://www.theregister.com/2022/03/22/talos-ransomware-blackcat/\r\nPage 1 of 3\n\nSpeaking of malware... Pradeo says it has spotted an Android app installed more than 100,000 times from the\r\nGoogle Play Store that has a trojan in it called Facestealer. This socially engineers victims into handing over their\r\nFacebook login details, which are passed to a Russian server. The app in question was Craftsart Cartoon Photo\r\nTools, which has since been removed by Google. If for some reason you have it installed, get rid of it.\r\nMandiant has documented the activities of a team it's called UNC2891 and its targeting of Solaris systems with\r\nbackdoors dubbed TINYSHELL and SLAPSTICK and a rootkit called CAKETAP. It is believed CAKETAP was\r\nused to alter messages on ATM networks to pull off fraudulent withdrawals from banks using bogus payment\r\ncards. UNC2891, we're told, is skilled on Unix and Linux-flavored machines, is financially motivated, and has\r\ngone for years undetected in large systems.\r\nA BlackCat representative in a February interview with Recorded Future said the two groups had a \"connection\"\r\nbut that BlackCat was not a rebranding of BlackMatter.\r\nThe representative also said BlackCat is an affiliate of other RaaS groups, and that they took knowledge from\r\nother outfits. If true, BlackCat is an example of vertical business expansion – controlling the upstream supply\r\nchain by making a service better suited for their needs and adding another potential avenue for revenue, the Talos\r\nresearchers wrote.\r\nVertical expansion also is a business strategy when there is distrust in the supply chain.\r\n\"There are several cases of vulnerabilities in ransomware encryption and even of backdoors that can explain a lack\r\nof trust in RaaS,\" they wrote. \"One particular case mentioned by the BlackCat representative was a flaw in\r\nDarkSide/Blackmatter ransomware allowing victims to decrypt their files without paying the ransom. Victims\r\nused this vulnerability for several months, resulting in big losses for affiliates.\"\r\nDouble blow\r\nBlackCat – also known as ALPHV – is being used in double-ransomware attacks, where the files not only are\r\nencrypted but victims are threatened with public disclosure of the files if the ransom isn't paid. BlackCat first\r\nappeared in November 2021 and has infected several companies in different parts of the world. That said, more\r\nthan 30 percent of the compromises have hit US-based companies, according to Talos.\r\nExotic Lily is a business-like access broker for ransomware gangs\r\nCISOs face 'perfect storm' of ransomware and state-supported cybercrime\r\nHas Trickbot gang hijacked your router? This scanner may have an answer\r\nLokiLocker ransomware family spotted with built-in wiper\r\nRansomware crim: Yeah, what I do is bad. No, I don't care. Yes, infosec bods are all mouth and no trousers\r\nRansomware crims saying 'We'll burn your data if you get a negotiator' can't be legally paid off anyway\r\nWhen comparing the BlackMatter intrusion in September and the BlackCat one in December, the Talos team\r\nbelieved the pair of cyber-attacks were run by the same affiliate. Both raids went the usual way: an initial\r\ncompromise followed by exploration and data exfiltration, preparation, and then execution of the extortionware.\r\nThere were further similarities: for both the BlackMatter and BlackCat infections, the methods to achieve\r\npersistence – a reverse SSH tunnel and scheduled tasks – were the same as well as lateral movements and the C2\r\nhttps://www.theregister.com/2022/03/22/talos-ransomware-blackcat/\r\nPage 2 of 3\n\ndomain. In addition, local and domain user credentials were collected on some key systems by dumping the\r\nLSASS process memory and extracting the credentials with Microsoft Sysinternals Procdump and Dumpert.\r\n\"In both attacks, before the actual execution of the ransomware, the attackers performed several actions preparing\r\nsystems to make the execution as successful as possible,\" the researchers wrote. \"On the day of the attack, the\r\nattacker logged in to the domain controller and opened the group policy management interface. The attackers then\r\ndropped and executed a file named 'apply.ps1.' We believe this script created and prepared the group policy to\r\ncause the execution of the ransomware throughout the domain.\"\r\nThe researchers admitted they still don't know how tightly related BlackCat is to BlackMatter, but that given the\r\noverlapping tools, techniques, and infrastructure of the two infections, they have \"moderate confidence\" that\r\nBlackMatter affiliates were probably among the early adopters of BlackCat.\r\n\"As we have seen several times before, RaaS services come and go,\" they wrote. \"Their affiliates, however, are\r\nlikely to simply move on to a new service. And with them, many of their TTPs [techniques, tactics and\r\nprocedures] are likely to persist.\" ®\r\nSource: https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/\r\nhttps://www.theregister.com/2022/03/22/talos-ransomware-blackcat/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/"
	],
	"report_names": [
		"talos-ransomware-blackcat"
	],
	"threat_actors": [
		{
			"id": "8b0219d5-cb32-4702-a4d6-7de8beb9b7a8",
			"created_at": "2022-10-25T16:07:24.364598Z",
			"updated_at": "2026-04-10T02:00:04.955871Z",
			"deleted_at": null,
			"main_name": "UNC2891",
			"aliases": [],
			"source_name": "ETDA:UNC2891",
			"tools": [
				"BINBASH",
				"CAKETAP",
				"MIGLOGCLEANER",
				"SLAPSTICK",
				"STEELCORGI",
				"STEELHOUND",
				"SUN4ME",
				"Tiny SHell",
				"WINGCRACK",
				"WINGHOOK",
				"WIPERIGHT",
				"tsh"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4594f985-865e-4862-8047-2e80226e246a",
			"created_at": "2022-10-27T08:27:12.984825Z",
			"updated_at": "2026-04-10T02:00:05.293575Z",
			"deleted_at": null,
			"main_name": "EXOTIC LILY",
			"aliases": [
				"EXOTIC LILY"
			],
			"source_name": "MITRE:EXOTIC LILY",
			"tools": [
				"Bazar"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "56384d06-abc2-4853-8440-db4d7b7d1b5f",
			"created_at": "2023-01-06T13:46:39.367122Z",
			"updated_at": "2026-04-10T02:00:03.303733Z",
			"deleted_at": null,
			"main_name": "EXOTIC LILY",
			"aliases": [
				"DEV-0413"
			],
			"source_name": "MISPGALAXY:EXOTIC LILY",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775791996,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cde6fd43e5a795d227933413af171bcf323e9ce3.pdf",
		"text": "https://archive.orkl.eu/cde6fd43e5a795d227933413af171bcf323e9ce3.txt",
		"img": "https://archive.orkl.eu/cde6fd43e5a795d227933413af171bcf323e9ce3.jpg"
	}
}