Privacy Ninja

BlackCat Ransomware’s Data Exfiltration Tool Gets an Upgrade

BlackCat Ransomware’s Data Exfiltration Tool Gets an Upgrade

The BlackCat ransomware (aka ALPHV) isn’t showing any signs of slowing down, and the latest example of its evolution is a new version of the gang’s data exfiltration tool used for double-extortion attacks.

BlackCat is considered a successor to Darkside and BlackMatter and is one of the most sophisticated and technically advanced Ransomware-as-a-service (RaaS) operations.

Security researchers at Symantec, who track BlackCat as “Noberus”, report that the developer of the first Rust-based ransomware strain continually improves and enriches the malware with new features.

Lately, the focus appears to have been on the tool used for exfiltrating data from compromised systems, an essential requirement for conducting double extortion attacks.

Also Read: Blockchain and Personal Data Protection: The PDPC Guide

Named “Exmatter,” the tool was used since BlackCat’s launch in November 2021 and was heavily updated in August 2022, featuring the following changes:

  • Limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG.
  • Add FTP as an exfiltration option in addition to SFTP and WebDav.
  • Offer option to build a report listing all processed files
  • Add “Eraser” feature giving the option to corrupt processed files
  • Add “Self-destruct” configuration option to quit and delete itself if executed in non-valid environments.
  • Remove support for Socks5
  • Add option for GPO deployment

In addition to the expanded capabilities, the latest Exmatter version has gone through heavy code refactoring implementing existing features more stealthily to evade detection.

Another recent addition to BlackCat’s info-stealing capacity is the deployment of a new malware called “Eamfo,” which explicitly targets credentials stored in Veeam backups.

This software is typically used for storing credentials to domain controllers and cloud services so that the ransomware actors can use them for deeper infiltration and lateral movement.

Eamfo connects to the Veeam SQL database and steals the backup credentials with the following SQL query:

select [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]

Once the credentials are extracted, Eamfo decrypts them and displays them to the threat actor.

The researchers note that the info-stealing malware has been used by other ransomware gangs in the past, including Monti, Yanluowang, and LockBit.

Finally, Symantec has noticed that the BlackCat operation has been seen using an older anti-rootkit utility called to terminate antivirus processes.

Also Read: On Data Protection Management: The Razer and Capgemini Incident

Staying at the top

In June 2022, BlackCat introduced support for encrypting files on ARM architectures and a mode to encrypt in Windows safe mode with or without networking.

At that time, the gang also created a dedicated online resource where people could search for their stolen data to increase the pressure on breached firms.

It’s evident that BlackCat constantly evolves with new tools, improvements, and extortion strategies to make the RaaS operation more effective and efficient.

Symantec reports that BlackCat’s operators expel affiliates who aren’t as prolific as they would like, suggesting they seek collaboration with lower-tier RaaS programs.

Researchers have also seen ex-Conti affiliates moving to BlackCat/ALPHV after the Conti ransomware gang shut down their operation.

This shutdown has led to an influx of experienced attackers who were quickly able to launch new attacks under the new operation.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us