A successor to REvil and DarkSide emerges

A new ransomware group made its appearance in July, claiming to pool the best resources from the REvil and DarkSide operations, which disappeared from the Dark Web recently.

On July 19, an agent under the alias BlackMatter registered an account on the Russian-language XSS and Exploit forums where 4 bitcoins (about $150,000) were deposited into his escrow account. High-value deposits indicate the seriousness of the threatening agent, FlashPoint reported.

The gang is interested in attacking companies in the United States, United Kingdom, Canada or Australia, with revenues over $100 million and 500 to 15,000 hosts on their networks, but that are not part of the healthcare, critical infrastructure, oil and gas, defense, non-profit and government sectors. The group is offering between $3,000 and $100,000 to gain access to corporate networks, as well as a portion of the eventual ransom that will be demanded from its victims.

For cyber threat analysis firm Recorded Future, which has also identified the infrastructure of this new group, there is a connection between BlackMatter and the former DarkSide group, although that fact is still under investigation. Flashpoint analysts, meanwhile, note that REvil previously labeled its Windows registry key “BlackLivesMatter”.

Flashpoint analysts also discovered a website on a domain opened by BlackMatter, in which the group details restrictions on the profiles of companies targeted by its attacks. Following the release of this site, rumors emerged claiming that BlackMatter was just a rebranding of the DarkSide group. The claims are based on the site’s DarkSide-like design and the fact that the BlackMatter group explicitly stated that it would not target the oil and gas sector, a nod to the Colonial Pipeline raid, its main victim.

Coincidence or not, BlackMatter’s emergence comes just a few weeks after the Dark Web ransomware groups DarkSide and REvil disappeared. Over the course of 2021, both managed to extort tens of millions of dollars from major companies, including Colonial Pipeline and JBS SA – and several other victims. After they gained the spotlight, they began to tone it down, going on to suggest that their operations were actually penetration tests, often conducted to legitimately assess the robustness of systems, until they decided to disappear from the scene.

BlackMatter does not openly claim to be a collective ransomware operator, although the content of its posts clearly indicates otherwise. For example, the group claims to be able to encrypt various operating system versions and architectures, including Windows Server 2003 x86/x64 or higher, Windows 7 x86/x64 or higher, Linux ESXI 5+, Ubuntu, Debian, and CentOs, with VMFS, VFFS, NFS, and VSAN file systems.

According to FlashPoint, it is not possible to hit the hammer as to who is behind BlackMatter. It’s important to note that suggestive posts and a high-dollar cryptocurrency account are no guarantee that a ransomware group is formed. It could be that fraudsters are intentionally mimicking the behavior of these notorious cyber gangs to gain credibility quickly. However, the BleepingComputer website was able to confirm that there are active attacks underway and that at least one victim paid $4 million to BlackMatter in late July. Could BlackMatter, then, be the reincarnation of one or two major ransomware groups? Or a new cyber gang? For either hypothesis, the solution is to stay vigilant and protect yourself.