BlackCat Is Back Under a New Name — and It's Coming for Small Businesses First
SilverFang is the reborn BlackCat ransomware operation, and it's not going after Fortune 500s — it's hunting SMBs with exposed Remote Desktop ports. They get in, steal your data, encrypt everything, then demand up to $500K. Over 60 businesses hit in the last 30 days alone. One open port is all it takes.
Who Is SilverFang
SilverFang is a ransomware-as-a-service (RaaS) operation that emerged in February 2026, approximately three months after the FBI-led takedown of the BlackCat/ALPHV ransomware operation. Mandiant's threat intelligence team and the FBI's Cyber Division assess with moderate-to-high confidence that SilverFang is operated by former BlackCat affiliates who rebuilt their infrastructure and rebranded. The group uses a double-extortion model — encrypting victim files and threatening to publish stolen data on their dark web leak site if the ransom is not paid. In the past 30 days, SilverFang has claimed responsibility for attacks on over 60 organizations, predominantly small and mid-sized businesses in the United States.
How They Get In: RDP Exploitation
SilverFang's primary initial access vector is exposed Remote Desktop Protocol (RDP) endpoints. RDP, which runs on TCP port 3389, allows remote access to Windows systems and is widely used by small businesses for remote work and IT administration. When RDP is exposed directly to the internet without additional protections, attackers can attempt to brute-force credentials or exploit known RDP vulnerabilities. SilverFang affiliates are purchasing lists of exposed RDP endpoints from dark web marketplaces and systematically attempting credential attacks. Once they gain access, they move laterally through the network, steal data, and then deploy ransomware.
The Double-Extortion Threat
Like its predecessor BlackCat, SilverFang uses double-extortion tactics. Before encrypting files, the group exfiltrates sensitive business data including financial records, customer information, employee data, and any other valuable files they can access. They then encrypt the victim's systems and demand a ransom — typically ranging from $25,000 to $500,000 for SMB targets — threatening to publish the stolen data publicly if payment is not made. This means that even organizations with good backups face the threat of data exposure, making prevention far more important than recovery.
Protecting Your Business
The most effective protection against SilverFang and similar RDP-based attacks is straightforward: do not expose RDP directly to the internet. If remote access is required, use a VPN with multi-factor authentication as the gateway, and only allow RDP connections from within the VPN. Enable Network Level Authentication on all RDP-enabled systems. Use strong, unique passwords for all accounts and implement account lockout policies to prevent brute-force attacks. Deploy an Endpoint Detection and Response (EDR) solution that can detect and block ransomware behavior. Maintain immutable, air-gapped backups that cannot be encrypted by ransomware.
- Disable RDP on all internet-facing systems immediately if not required
- If RDP is required, place it behind a VPN with MFA — never expose port 3389 directly to the internet
- Enable Network Level Authentication (NLA) on all RDP connections
- Review firewall rules to ensure port 3389 is not open to the internet
- Implement immutable backups tested regularly — your last line of defense against ransomware
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.