BlackCat ransomware improving data exfiltration tools

BlackCat ransomware gang upgrading operations of data exfiltration and encryption

Ransomware-as-a-service gets evolvedGroup operating this ransomware constantly introduces new tools and improvements

The gang behind one of the most dangerous ransomware strains was spotted to be upgrading its malware arsenal. The BlackCat ransomware operators try to fly under the radar and expand their reach.[1] There are no signs of the group slowing down because these latest samples show the evolution of these new versions. Ransomware relies on upgraded data exfiltration tools and uses double-extortion attacks.[2]

The particular ransomware is the successor to DarkSide and BlackMatter ransomware strains that have recently created havoc.[3] This BlackCat file virus is one of the most sophisticated and advanced threats working as a service – RaaS. Operators seem to use the new Exmatter data exfiltration tool and Eamfo information-stealer malware that is designed to steal credentials that are stored by Veeam backup software particularly.[4]

The newest report from the Symantec researchers shows that the gang that shutdown DarkSide and BlackMatter last year is still strongly running the ransomware-as-a-service operations using this strain and the help of affiliates that help carry out these attacks in exchange for a cut of the illicit proceeds.

Continuous development and focus on data theft

The evolution of these malware tactics and tools shows that their procedures are focused more on new encryption functionalities and enable malware to reboot compromised machines to evade detection. These new reports show that ransomware operators adapt their operations to remain effective as long as possible and the usage of information stealing malware or data exfiltration tools helps to achieve such goals significantly.

The particular BlackCat ransomware has been observed to use Emotet malware[5] in attacks as the initial vector for the infiltration. Also, this gang seems to welcome members from the recently closed groups like the Conti ransomware gang that withdrew from the cyber threat world not long ago.

In June 2022, BlackCat introduced the support for encrypting files on ARM architectures and a model to encode Windows safe mode with or without networking. The gang has created other resources for people that could search for the stolen data to increase the particular payment pressure on affected firms. The family evolves and makes operations significantly more effective and efficient.

RaaS is on the rise and getting upgrades

Data exfiltration and double or even triple extortion have become popular thing amount these ransomware groups. Threat actors upgrade their programs, and besides data corruption functionalities, ransomware implements a new tactic of data exfiltration. it is believed that malicious actors might switch to this method more in the future.

These newer samples of old malware or new ransomware strains show that recent incidents involve data exfiltration and file stealing. Those pieces get uploaded on actor-controlled servers, and once files get successfully copied on the remote server, direct extortion messages can get to victims.

Many of these RaaS strains involve affiliate program as the BlackCat, but payment sites, making the ransomware, handling negotiations, and other operations are still launched by threat actors. Affiliates breach the network, steal needed data and, disrupt backups, encrypt devices. Operators get around 30% of the ransom payment in such arrangements.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions