{ "id": "340b284c-538e-44d5-ab97-6e976b9d765c", "created_at": "2026-04-06T00:11:58.902038Z", "updated_at": "2026-04-10T03:29:40.189924Z", "deleted_at": null, "sha1_hash": "ff12bebd550826522080010ef6a66ddd7b3c0bf7", "title": "BlackCat Purveyor Shows Ransomware Operators Have 9 Lives", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 436123, "plain_text": "BlackCat Purveyor Shows Ransomware Operators Have 9 Lives\r\nBy Robert Lemos\r\nPublished: 2022-04-07 · Archived: 2026-04-05 17:55:26 UTC\r\nhttps://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives\r\nPage 1 of 4\n\nSource: Life on white via Alamy Stock Photo\r\nA ransomware group boasting its members come from now-shuttered groups BlackMatter and REvil has emerged\r\nfrom the shadows to launch a new ransomware-as-a-service, already attacking an enterprise resource planning\r\nhttps://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives\r\nPage 2 of 4\n\n(ERP) service provider and an industrial firm, new research shows.\r\nThe group, known as ALPHV, and its BlackCat malware have already infected \"numerous corporate victims,\"\r\nendpoint security firm Kaspersky said in an initial analysis posted on April 7. The operators of the new group\r\nadvertise themselves as the strongest option to replace BlackMatter and REvil following international takedowns\r\nof those ransomware groups and their infrastructures. Kaspersky researchers have detected signs that at least some\r\nof the members likely had roles in a previous group, BlackMatter.\r\nThe exact division of activities between the new group, its affiliates, and other cybercriminal services is unclear,\r\nsays Kurt Baumgartner, principal security researcher at Kaspersky.\r\n\"In all likelihood, the overall set of global BlackCat incidents is performed by a mix of both the group maintaining\r\nthe code and service, and affiliates performing their own work,\" he says. \"Some of that work can be broken down\r\nfurther, too, into access brokers and penetration efforts performed by the individual groups.\"\r\nThe analysis — and the strong hint that at least some of the operators may have been part of BlackMatter —\r\nshows that taking down ransomware groups' infrastructure does not stop them from again setting up shop.\r\nIn the case of ALPHV, Kaspersky researchers discovered that the group used a private tool, dubbed Fendr, that has\r\nonly been used by BlackMatter in the past. ALPHV used the tool to exfiltrate data from corporate victims in\r\nDecember 2021 and January 2022 before deploying ransomware, in a popular tactic known as double extortion.\r\n\"Our telemetry suggests that at least some members of the new BlackCat group have links to the BlackMatter\r\ngroup, because they modified and reused a custom exfiltration tool we call Fendr and which has only been\r\nobserved in BlackMatter activity,\" Kaspersky stated in the threat brief. \"This use of a modified Fendr, also known\r\nas ExMatter, represents a new data point connecting BlackCat with past BlackMatter activity.\"\r\nMalware Coders Take a Shine to Rust\r\nThe group is one of the few that has written their tools in the popular, but still uncommon, programming language\r\nRust, which allows them to quickly compile tools for multiple platforms, Kaspersky stated in its blog post. Rust\r\nallows the group to release one version for Windows and Linux, because of cross-compilation, and has significant\r\nsecurity checks to reduce the incident of vulnerabilities.\r\n\"Rust is a cross-compilation language, so a number of BlackCat Linux samples quickly appeared in the wild\r\nshortly after their Windows counterparts,\" the researchers stated in the analysis. Other security firms have seen an\r\nincrease in Linux malware in the past year.\r\nKaspersky has detected BlackCat activity against a Middle Eastern provider of enterprise resource planning (ERP)\r\nservices, with the attackers attempting to steal credentials as well as encrypt the drives. A second attack — against\r\nan oil, gas, mining, and construction company in South America — included the use of the Fendr exfiltration tool.\r\nREvil and BlackMatter Redux?\r\nDivining the composition of the current group is a complex task, because ALPHAV is a collection of developers,\r\nRaaS services, affiliates, negotiators, and cash-out support, says Baumgartner. Could the ALPHAV group just be\r\nan affiliate who created their own organization and decide to use the REvil and BlackMatter brands for name\r\nrecognition?\r\nhttps://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives\r\nPage 3 of 4\n\n\"It's possible, and certainly, 'they' — ALPHAV — claim to be composed of multiple parts of various past\r\nransomware schemes including REvil and BlackMatter, but at the same time, they are completely unreliable\r\nsources with bad agendas of their own,\" he says. \"I will say that it's clear for at least a portion of the BlackCat\r\nactivity, there is a definitive lineage back to BlackMatter activity.\"\r\nWhile both REvil and BlackMatter have been linked to the Russian actors, Baumgartner could not say whether\r\nALPHV is itself made up of Russian nationals. Previous research has connected both to other groups such as\r\nDarkSide and LockBit 2.0.\r\nKaspersky has been the focus of a debate over whether the firm's software could pose a threat to national security.\r\nIn 2017, Russian cyber-espionage operators stole classified cyberattack and defense tools from the home computer\r\nof a National Security Agency contractor by exploiting Kaspersky's security software. The US government has\r\nsince banned the software, but the issue has resurfaced with Russia's invasion of Ukraine. According to a report in\r\nThe Wall Street Journal, the Biden administration is debating whether to sanction the firm.\r\nAbout the Author\r\nContributing Writer\r\nVeteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen\r\npublications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired\r\nNews. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the\r\nBlaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the\r\nshortage in cybersecurity workers and annual vulnerability trends.\r\nSource: https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives\r\nhttps://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.darkreading.com/attacks-breaches/blackcat-purveyor-shows-ransomware-operators-have-nine-lives" ], "report_names": [ "blackcat-purveyor-shows-ransomware-operators-have-nine-lives" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434318, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff12bebd550826522080010ef6a66ddd7b3c0bf7.pdf", "text": "https://archive.orkl.eu/ff12bebd550826522080010ef6a66ddd7b3c0bf7.txt", "img": "https://archive.orkl.eu/ff12bebd550826522080010ef6a66ddd7b3c0bf7.jpg" } }