A spokesman for the ransomware most commonly called BlackCat confirmed its lineage as part of the Dark Side/BlackMatter family in an interview with a threat analyst at Recorded Future, and asked that the group be referred to by its advertised name of ALPHV. The connection to Dark Side had been suspected since at least the beginning of the year.
BlackCat/ALPHV emerged last year, but its leaks page shows a large group of victims, which experts believe is a sign of popularity among ransomware affiliate hackers. It was most famously seen in breaches of two German oil companies earlier this month that impacted more than 200 gas stations. Dark Side was most famous for briefly shuttering Colonial Pipeline last year.
"As [designers] of darkmatter [Dark Side / BlackMatter], we suffered from the interception of victims for subsequent decryption by Emsisoft," explained the spokesman, answering a question from analyst Dmitry Smilyanets about why the ALPHV ransomware used individual domains and access tokens for each victim.
Emsisoft had used BlackMatter's wonky communications system, which was not unique for each victim, to find victims and give them a decryptor.
While ALPHV made several claims throughout the interview, all of which may well be the puffery of criminals advertising its brand to potential collaborators, there is good reason to believe in the connection between ALPHV and Dark Side. Researchers quickly noticed design overlaps between the groups. Earlier this week, Emsisoft's Brett Callow told SC Media he was preparing intelligence for release that ALPHV was a rebranding of Dark Side after the group fired its old developer team and hired a new one.
ALPHV presents itself as an entirely new group made up of the best programmers from different defunct strains of ransomware, though Callow says keeping the Dark Side and BlackMatter brand names at arm's length is to maintain credibility with affiliates.
"The rebrand was driven by the reputational harm from the incompetence resulting in Dark Side ransomware being decrypted. Plus, a portion of the ransom paid by Colonial Pipeline was recovered, which would leave affiliates wondering whether the operation was compromised," said Callow.
"The rebrand lets them say they are a somewhat experienced operation — otherwise, no one would want to work with them," Callow added. "At the same time, they don't want to admit to being BlackMatter because that was associated with the bad things."
There is some irony that ALPHV's breakthrough incident was caused by an oil disruption. International police pressure following the Colonial Pipeline attack, which disrupted oil distribution on the U.S. East Coast, forced Dark Side to shut down. It later re-emerged as BlackMatter.
Ultimately, it is not the ransomware designers who determine who the ransomware affiliates attack. Affiliates are contractors who sometimes use multiple brands of ransomware at a time.
ALPHV told Recorded Future it tries to curate a group of affiliates that will abide by its policies of not attacking government, hospitals, education or Russia's closest allies, but it was limited in what it could do to stop it.
"We control preventively — at registration. As you can see, we do not run an active advertising campaign and easily cut ties with non-compliant partners, but no matter how hard we try to filter people when creating an account — shit happens," the spokesman said.
