Recorded Future analyst Dmitry Smilyanets interviewed a representative of the hack group behind the BlackCat ransomware (ALPHV). He confirmed that ALPHV is associated with such well-known groups as BlackMatter and DarkSide.
Let me remind you that the unusual ransomware ALPHV (aka BlackCat and BC.a Noberus) written in Rust was discovered by researchers at the end of last year. Even then, experts noted that the creator of ALPHV was probably previously a member of the well-known hacker group REvil, and the new malware is a “very complex” encryptor.
Back at the end of 2021, after the appearance of ALPHV, a representative of the LockBit hack group stated that ALPHV is just a rebranding of the BlackMatter/DarkSide malware.
Now, these statements have been confirmed by the ALPHV representative himself:
“Partly we are all connected to gandrevil [GandCrab/REvil], blackside [BlackMatter/DarkSide], mazegreggor [Maze/Egregor], LockBit and so on, because we are “advertising”. “Advertising” writes software, “advertising” chooses the brand name, the entire affiliate program is nothing without “advertising”. There was no rebranding or mixing of valuable personnel, because we are not directly related to these affiliate programs. Let’s just say we borrowed their strengths and eliminated their weaknesses.”
Although BlackCat operators claim in interviews that they were only BlackMatter/DarkSide partners running their own extortion business, some experts do not believe this. For example, in response to the statements of hackers, Bleeping Computer quotes Emsisoft analyst Brett Callow, who is sure that BlackMatter simply replaced the development team after Emsisoft found a vulnerability in their malware that allowed victims to restore files for free.
“While ALPHV claims to be former partners of DS/BM, it’s more likely that they *are* DS/BM, just trying to distance themselves from this brand due to the reputational hit they received after a bug [we discovered] that cost their partners of several million dollars,” Callow says.
Bleeping Computer journalists also note that hackers do not seem to learn from their mistakes. The fact is that the responsibility for the recent attacks on the German companies Oiltanking and Mabanaft , engaged in the transportation and storage of oil and petroleum products, lies with the operators of the BlackCat/ALPHV encryptor. These attacks once again affected the fuel supply chain and caused a lot of problems.
This is quite ironic, considering that the DarkSide group was forced to cease its activities earlier precisely after the attack on the largest pipeline operator in the United States, Colonial Pipeline, as the incident provoked interruptions in the supply of fuel and drew too much unnecessary attention to the hackers.
About the same thing happened with the BlackMatter ransomware, which experts almost immediately called the rebranding of DarkSide – law enforcement agencies confiscated the group’s servers and forced it to “close” again .
Now, after attacking Oiltanking and Mabanaft, the faction may again be under attack for the same reason. However, in an interview with Recorded Future, the hackers said that they cannot control who exactly their partners attack, and try to block those who break the rules.