The BlackCat ransomware has moved towards its next phase of operation after updating its data exfiltration tool. The tool is quite popular in the underground markets for its double-extortion attacks. The threat actors are presumed to be using the new upgrade for future campaigns.
Researchers at Symantec reported the new and improved version of the exfiltration tool, a flagship product of the BlackCat ransomware gang. It has been used for data exfiltrating in high-profile attacks wherein the TA takes control of compromised systems using double extortion methods.
BlackCat ransomware
BlackCat ransomware, also known as ALPHV, contributed to the growing ransomware as a service (RaaS) gig economy. Since it uses Rust, an unconventional programming language, it can penetrate through multiple entry points and has been affiliated with prolific hacker groups, per Microsoft’s report.
For the uninitiated, BlackCat encrypts the targets’ data and uses double extortion tactics — where the TA threatens the victims to pay a certain ransom before the stolen data gets published to the public. The ransomware is also related to other extortion gangs, including the infamous Conti and Lockbit.
BlackCat ransomware focuses on exfiltrating data
BlackCat ransomware’s data exfiltration tool was previously used for extortion rackets and has been identified as “Exmatter,” launched by the ransomware Ganga in November 2021. The new update was later released in August 2022. It featured new functions like limiting the exfiltration files to 17 extensions, report building of processed files, removing support for Socks5, GPO deployment, “Eraser” to corrupt processed files, FTP extraction, “self destruct” to delete the program in a non-valid environment and more.
Moreover, the latest Exmatter version is embedded with stealthier features making it harder to detect by threat detection programs. It can also deploy a new malware called “Eamfo,” which can steal credentials from Veeam backups.
The malware can also connect to the Veeam SQL database and aims to steal the backup credential using the select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials] SQL query.
