{
	"id": "e705f1bb-9bbb-42f8-9c10-c71492f44566",
	"created_at": "2026-04-06T00:20:52.501792Z",
	"updated_at": "2026-04-10T03:29:39.830519Z",
	"deleted_at": null,
	"sha1_hash": "de538c9f8eeedffe281351cf53a4a665c1906943",
	"title": "Update: What's BlackCat Ransomware Been Up to Recently?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 234069,
	"plain_text": "Update: What's BlackCat Ransomware Been Up to Recently?\r\nBy Mihir Bagwe\r\nArchived: 2026-04-05 19:59:45 UTC\r\nBusiness Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service\r\n1 Betting Platform, 3 Universities and 1 Natural Gas Supplier Allegedly Compromised (MihirBagwe) • April 11,\r\n2022    \r\nThe BlackCat ransomware group is possibly a rebrand of BlackMatter and DarkSide. (Source:\r\nPixabay)\r\nBlackCat, believed to be a rebranded version of the BlackMatter or DarkSide ransomware group, has claimed to\r\nhave successfully targeted several organizations including a popular Nigerian betting platform Bet9ja, three\r\nuniversities - FIU, NCAT State University, AIT-Thailand, and the largest natural gas supplier in Latin America -\r\nTGS, in the past few days.\r\nSee Also: How AI Expands Risk Across Enterprise\r\nBet9ja, FIU, and NCAT State University have confirmed to ISMG that they were subjected to ransomware attacks,\r\nhowever, they say that no data losses have been found yet.\r\nBet9ja Bets All Data is Secured\r\nNigerian betting platform Bet9ja suffered a ransomware attack perpetrated by the BlackCat ransomware group on\r\nApril 6, which the company confirmed on Sunday - two days after the attack.\r\nhttps://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nPage 1 of 6\n\nThe attack disrupted Bet9ja's regular operations, and many users complained of not being able to log into their\r\naccounts, but CEO Ayo Ojuroye maintains that \"all accounts, data and funds\" are \"safe.\"\r\nOn Wednesday, Bet9ja tweeted that its website was experiencing a technical issue and restricted its users from\r\nlogging in to their accounts. The company promised customers that its IT team was working on the issue as a\r\npriority, but the platform continued to face downtime. According to recent reports, however, services have finally\r\nbeen restored.\r\nOn Sunday, the company issued a statement on the \"criminal cyberattack.\"\r\nIn the announcement, Bet9ja says it has hired independent cyber forensics and cybercrime experts to investigate\r\nand resolve the situation.\r\nOjuroye also tweeted a confirmation of the \"unprovoked and unjustified\" attack on Wednesday, adding that the\r\ncompany continued to be in control of the situation and that all customer accounts, data and funds were secure.\r\nOjuroye says that the company has \"taken steps to reduce and mitigate any risk to our network systems and\r\noperations. We have deployed international cybersecurity and [cyber] forensic experts to help us analyze and\r\nimprove our network security and strengthen our operations to be more resilient and secure.\"\r\nHe did not, however, detail what measures were taken. The company did not respond to Information Security\r\nMedia Group's request for comment.\r\nAcknowledging the attack, the National Lottery Regulatory Commission of Nigeria says that it condemns the\r\nattack on \"one of Nigeria's leading sports betting companies\" - KC Gaming Networks Limited, which is Bet9ja's\r\nparent company.\r\n\"As the apex regulator of lotteries and gaming in Nigeria, we entirely condemn such a nefarious act that has\r\nadversely affected the company's operations, albeit temporarily,\" it says.\r\nThe NLRC adds that it was satisfied with Bet9ja's response to the incident and assured the public that its business\r\noperations would soon return to normal.\r\nBlackCat Lists Bet9ja\r\nWhile Bet9ja did not respond to ISMG's queries on whether the company would pay a ransom, BlackCat has\r\nupped the pressure by publishing details of the attack on its darknet website.\r\nSoufiane Tahiri, an independent cybersecurity researcher, tweeted screenshots of the website, which shows the\r\nattackers claiming that they \"have about 2TB confidential data of all clients, financial reports, software source\r\ncode, etc.\"\r\nThe screenshot also contains redacted images of what appear to be copies of customer passports, credit/debit card,\r\nand other personally identifiable information, including banking details.\r\nBlackCat's Other Victims\r\nhttps://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nPage 2 of 6\n\nIt appears that BlackCat has been busy elsewhere in the world.\r\nIn the past four days, it has reportedly published details of leaks following an attack on several educational\r\ninstitutions, including Florida International University, North Carolina Agricultural and Technical State\r\nUniversity, the Asian Institute of Technology, and Argentina's largest natural gas extractor company,\r\nTransportadora de Gas del Sur - or TGS.\r\nFlorida International University\r\nDarkfeed, a darknet monitoring platform, on Friday shared that BlackCat has claimed to have stolen nearly 1.2 TB\r\nof data and 300 GB of SQL databases from Florida International University.\r\nBlackCat's FIU data leak post on its darknet website. (Source: Darkfeed.io)\r\nThe stolen data allegedly contains PII of students and staff members, including their Social Security numbers and\r\ncontacts. The threat actor has also stolen the university's contracts, financial and accounting documents, SQL and\r\nemail databases, according to Darkfeed.\r\nThe university shared with ISMG the statement it sent to its employees and students. So far, there is no indication\r\nof the compromise, FIU says.\r\nhttps://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nPage 3 of 6\n\nStatement shared with ISMG\r\nIn an update shared with ISMG on April 12, FIU confirms that it recently became aware of a security incident\r\ninvolving ransomware that affected some of its systems at the university. \"We immediately started an\r\ninvestigation, informed law enforcement and engaged third party professionals to assist in the investigation of the\r\nincident. On Friday, April 8, 2022 [as seen above], we made our university community aware of a ransomware\r\ngroup’s claims that sensitive FIU data was exfiltrated and our efforts to investigate,\" FIU says.\r\nThis investigation is ongoing, and with the help of its partners, FIU says, it is trying to gain a complete\r\nunderstanding of the incident – \"including what type of data was stored on the server and may be at risk.\"\r\nCurrently FIU tells ISMG that the organization does not believe that any financial information, social security\r\nnumbers, or information on student performance was stored on the impacted server.\r\nFIU adds that the \"incident has not impacted the education process – students and researchers are continuing their\r\nwork, uninterrupted.\" Updates about any new findings will be shared soon, the FIU concluded.\r\nNorth Carolina Agricultural and Technical State University\r\nThe ransomware operators did not specify how much data they exfiltrated from the NCAT State University, but\r\nposted that the details were similar to those leaked in the FIU case.\r\nA spokesperson for NCAT State University tells ISMG, \"We recently experienced a cybersecurity incident to\r\nwhich our IT Services Department responded immediately, shutting down various systems to contain the incident.\r\nAfter exhaustive review, multiple investigating agencies have found no current faculty, staff or student data were\r\naffected.\"\r\n\"While we have restored access to the majority of our systems, work continues to be done to enhance and\r\nstrengthen our IT infrastructure, while ensuring that systems needed by faculty, staff and students are available.\"\r\nCiting the ongoing investigation, the spokesperson declined to comment on further specifics of the attack.\r\nhttps://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nPage 4 of 6\n\nNoting the ransomware attacks on FIU and NCAT State University, Brett Callow, a threat analyst at Emsisoft, says\r\nBlackCat, or Alphv, has increased its targeting of educational institutions. Callow says this is the third time this\r\nyear that the group has targeted a U.S.-based university or college, and the first such attack in 2022 was on\r\nPhillips Community College in February.\r\nAccording to Callow, at least 10 U.S. universities or colleges and eight school districts, for a total of 214 schools,\r\nhave been affected by ransomware so far this year. He says data was stolen in at least 11 of the 18 incidents.\r\nAsian Institute of Technology\r\nBlackCat has allegedly said that it stole 2TB worth of data, including employee PII data, client documentation and\r\nnetwork map, including credentials for local and remote services, from Bangkok-based Asian Institute of\r\nTechnology.\r\nNo other details about the leak could be confirmed or verified by the institute.\r\nAn independent Indian security practitioner who uses the alias Kulkarni Defence on Twitter, shared unredacted\r\ngrabs of the alleged data leak post. The images show investment and financial records, along with associated files\r\nstarting in 2017.\r\nTransportadora de Gas del Sur\r\nOf all the alleged ransomware attacks and claimed leaks, the claimed breach of Transportadora de Gas del Sur is\r\nlikely to have the biggest impact, if proven. TGS is the biggest pipeline system in Latin America, transporting\r\n60% of the total natural gas consumed in the region, and it supplies directly to distributors, electric generators and\r\nindustries.\r\nBlackCat's TGS data leak post on its darknet website (Source: Darkfeed.io)\r\nThere is no independent confirmation, but BlackCat says it has exfiltrated around 1,500GB or 1.5TB worth of\r\ndata, including accounting, finance, contracts and agreements, PII, project blue prints, reports and several other\r\ninternal company documents of TGS.\r\nhttps://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nPage 5 of 6\n\nBlackCat has reportedly warned all victims that the stolen data will be published on their sites if the ransom\r\namount is not paid.\r\nAIT and TGS did not immediately respond to ISMG's request for further details on the veracity of the threat\r\ngroup's claims and the ransom demands.\r\nConnection with BlackMatter\r\nBlackCat is said to be a rebrand of ransomware groups BlackMatter and DarkSide, following international\r\nscrutiny last year. Some security practitioners have debated these claims, but a new study from cybersecurity\r\nresearchers at Kaspersky has uncovered further links between BlackCat and BlackMatter ransomware families.\r\n\"At least some members of the new BlackCat group have links to the BlackMatter group, because they modified\r\nand reused a custom exfiltration tool which has only been observed in BlackMatter activity,\" the Kaspersky\r\nresearchers say.\r\nThe tool, dubbed Fendr, has been upgraded to include more file types and has been used extensively to steal data\r\nfrom corporate networks. \"This use of a modified Fendr, also known as ExMatter, represents a new data point\r\nconnecting BlackCat with past BlackMatter activity,\" the researchers say.\r\nSource: https://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nhttps://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/blackcat-attack-on-betting-company-disrupts-service-a-18886"
	],
	"report_names": [
		"blackcat-attack-on-betting-company-disrupts-service-a-18886"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434852,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/de538c9f8eeedffe281351cf53a4a665c1906943.pdf",
		"text": "https://archive.orkl.eu/de538c9f8eeedffe281351cf53a4a665c1906943.txt",
		"img": "https://archive.orkl.eu/de538c9f8eeedffe281351cf53a4a665c1906943.jpg"
	}
}