Arpad Nagy-Bagoly - stock.adobe.

BlackMatter goes on the record about DarkSide and REvil links

BlackMatter gives details of its ransomware-as-a-service operation and distinguishes itself from now-defunct ransomware gangs in interview with cyber security analysts from Recorded Future

The BlackMatter ransomware gang has confirmed that, despite taking inspiration from the DarkSide operation and having worked with some of its affiliates in the past, it is its own distinct project.

BlackMatter, which was officially founded in July 2021, is in the process of recruiting affiliates for its ransomware-as-service (RaaS) programme, and is actively advertising for initial access brokers who can help it infiltrate high-value corporate networks.

It is specifically targeting large corporations with three core features: revenues of $100m a year or more, networks with 500 to 15,000 hosts, and which are located in the US, the UK, Canada or Australia.

As ransomware gangs have a tendency to rename themselves to evade law enforcement, security researchers have been speculating about the connections between BlackMatter and other groups, namely REvil and DarkSide.

The actors behind REvil, for example, which was responsible for the high-profile attack on Kaseya at the start of July, are thought to be the same actors as those behind an old ransomware strain known as GandCrab.

While at one point some researchers believed REvil was rebranding as DarkSide, which first emerged in August 2020, both continued operating side-by-side for nearly a year until the latter attacked Colonial Pipeline in May 2021.

Both DarkSide and REvil have disappeared since their respective attacks on Colonial Pipeline and Kaseya, although the exact reason for them going underground has not been confirmed.

In an interview with Recorded Future’s expert threat intelligence analyst Dmitry Smilyanets, which was published in The Record, a BlackMatter representative said: “We are familiar with the DarkSide team from working together in the past but we are not them, although we are intimate with their ideas.”

The representative added that BlackMatter has learned a number of lessons from the exit of REvil, DarkSide and others from the RaaS market.

“We believe that to a large extent their exit from the market was associated with the geopolitical situation on the world stage,” they said. “First of all, this is the fear of the United States and its planning of offensive cyber operations, as well as a bilateral working group on cyber extortion. We are monitoring the political situation, as well as receiving information from other sources.

“When designing our infrastructure, we took into account all these factors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long? Time will tell. For now, we are focusing on long-term work. We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us.”

Read more about ransomware-as-a-service

  • The frequency of ransomware attacks has increased dramatically over the past year, with 93% more carried out in the first half of 2021 than the same period last year, according to Check Points mid-year security report.
  • The Babuk ransomware operation backed away from encrypting its victims’ files, and technical difficulties may be to blame, reports McAfee.
  • The process of negotiating a ransomware payment is delicate, hence cyber criminal organisations are prepared to offer good terms to those with the right skillsets.

The representative added that large-scale attacks like those on Colonial Pipeline were “a key factor for the closure” of other ransomware gangs, which is why they have decided to forbid attacking certain targets, including hospitals, critical infrastructure facilities such as nuclear power plants or water treatment plants, and the oil and gas industry: “We see no sense in attacking them.”

The BlackMatter representative said the group had also taken time to specifically study the DarkSide, REvil and LockBit operations before starting its own project, adding that it has incorporated each project’s strengths into its own.

“From REvil – SafeMode, their implementation was weak and not well thought out, we developed the idea and thoroughly implemented it. We also implemented the PowerShell version of the ransomware variant given the REvil implementation,” they said.

“From LockBit – an approach to the implementation of the codebase, we took some things from there, mostly little things.

“From DarkSide – first of all, this is the idea of impersonation (the ability of the encryptor to use the domain administrator account to encrypt the shared drives with maximum rights), we also borrowed the structure of the admin panel from there.”

The representative added that the BlackMatter product has been in development for the last six months and confirmed – in line with BleepingComputer’s assessment that active attacks are under way and at least one victim has already paid $4m to the threat actors – it is already in negotiating with companies it has attacked.

When asked by Smilyanets why the talented professionals on the BlackMatter team are using their skill for “destructive activities”, and whether they had considered legal penetration testing, the representative responded: “We do not deny that business is destructive, but if we look deeper – as a result of these problems, new technologies are developed and created. If everything was good everywhere, there would be no room for new development.

“There is one life and we take everything from it, our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data.

“We have not been involved in legal pen-testing and we believe that this could not bring the proper material reward.”

Next Steps

Researchers find access brokers focused on US targets

Read more on Hackers and cybercrime prevention

Data Center
Data Management