weerapat1003 - stock.adobe.com

New ransomware gang spins out of DarkSide

The emergence of a ransomware gang known as BlackMatter raises questions that it could be a re-brand of REvil or DarkSide

A ransomware group has emerged to target large corporate entities with revenues of $100m or more per year, according to analysts from Recorded Future.

Posited as a successor to the now-defunct DarkSide and REvil groups, BlackMatter was founded in July 2021 and is currently in the process of recruiting affiliates for its ransomware-as-service (RaaS) programme through ads posted on two cyber crime forums, Exploit and XSS.

While ads for ransomware operations have been banned from both forums since May 2021, BlackMatter has circumvented this by posting ads for the recruitment of “initial access brokers”, or those with access to hacked enterprise networks.

According to the ads, the BlackMatter group is looking for brokers who can help it to access high-value corporate networks of companies that have three features: revenues of $100m a year or more per year; networks with 500 to 15,000 hosts; and are located in either the US, the UK, Canada or Australia.

The group added that it is willing to pay between $3,000 and $100,000 for the access to these networks, as well as a share from any potential ransom obtained.

According to Recorded Future, the group provides ransomware that is able to infect a variety of operating system versions and architectures, including Windows, Linux, VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices.

“The BlackMatter ransomware group appears to be partnering with actors who can provide initial access to victim organisations. They have implemented requirements for these partners, likely to filter out security researchers and law enforcement, especially now given the significant media attention,” said Kimberly Goody, director of financial crime analysis at Mandiant Threat Intelligence.

“Examples of these requirements include having an older profile on the forum with a minimum number of posts, providing proof of previous work with another ransomware, or providing confirmation of accesses to at least two large companies with revenues over $100m.”

As ransomware gangs have a tendency to rename themselves to evade law enforcement, security researchers are speculating about the connections between BlackMatter and other groups, namely REvil and DarkSide.

The actors behind the REvil group, for example, which was behind the recent high-profile attack on Kaseya at the start of July, are thought to be the same actors as those behind an old ransomware strain known as GandCrab.

While at one point some researchers believed REvil was re-branding as DarkSide, which first emerged in August 2020, both continued operating side-by-side for nearly a year until the latter attacked Colonial Pipeline in May 2021.

Both DarkSide and REvil have disappeared since their respective attacks on Colonial Pipeline and Kaseya, although the exact reason for them going underground has not been confirmed.

Security researchers have pointed out that BlackMatter’s Tor site strongly resembles that of DarkSide, noting the use of similar language and the stated commitment to not attack certain targets. 

According to DarkMatter’s site, the group has committed to not attacking certain sectors or organisations. This includes hospitals, critical infrastructure facilities such as nuclear power plants or water treatment plants, the oil and gas industry, the defence industry, non-profits, and the public sector. It added: “If your company is on that list, you can ask us for free decryption.”

However, while no victims are currently listed on the site, BleepingComputer has been able to confirm there are active attacks underway, and that at least one victim has already paid $4m to the threat actors.

BleepingComputer later reported that it had found a decryptor from a BlackMatter victim, which analysis showed was using the same unique encryption methods that DarkSide has been using.

A copy of the BlackMatter ransomware has also been uploaded by McAfee scientist Christiaan Beek to cyber crime tracking site Abuse.ch’s MalwareBazaarDatabase. Having examined the code, other security firms have verified that the similarities strongly suggest BlackMatter is a re-branding of DarkSide.

“We have seen some indication that currently suggests that at least one actor connected to some DarkSide ransomware operations is aligning themselves with BlackMatter. This isn’t necessarily surprising as we commonly see ransomware affiliates partnering with multiple providers,” said Goody.

Read more about ransomware gangs

  • The Babuk ransomware operation backed away from encrypting its victims’ files, and technical difficulties may be to blame, reports McAfee.
  • The process of negotiating a ransomware payment is delicate, hence cyber criminal organisations are prepared to offer good terms to those with the right skillsets.
  • A coordinated sting has ended the operations of the DoubleVPN service, the owners of which are accused of harbouring cyber criminal activity.

Read more on SAN, NAS, solid state, RAID

Data Center
Data Management