BlackMatter, a new ransomware group, claims link to DarkSide, REvil

BlackMatter, a new ransomware group, claims link to DarkSide, REvil

There’s a new ransomware gang in town—and, frankly, we’re not at all surprised.

After DarkSide disappeared—coincidentally, immediately after Colonial Pipeline gave in to the group’s ransom demand of roughly $5M USD worth in Bitcoin—a new ransomware group who calls themselves BlackMatter surfaced on the dark web, kicking off their operations sometime this week.

Analysts from Recorded Future, the cybersecurity group who initially reported on the new ransomware group, said their researchers are currently investigating BlackMatter. Though it is a fairly new cybercriminal gang, its members could be considered professionals in Ransomware-as-a-service (RaaS) as, to quote from BlackMatter themselves, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”

The BlackMatter group has been spotted posting on Exploit and XSS, two known cybercrime forums in the dark web. They’re not advertising their ransomware, however; they are recruiting affiliates that are called “initial access brokers,” a term that cybergangs use to refer to fellow criminals who have access to hacked enterprise networks. According to BlackMatter’s ads, the ransomware group is seeking hacked access to “corporate networks” located in Australia, Canada, the UK, and the US.

The new ransomware gang made it clear that they will not be targeting certain organizations, almost as if to say that they are keenly aware of the danger that comes from pulling off internationally-recognized attacks which can lead—and have led—to sudden shutdowns and disappearances.

In their own leak site, BlackMatter claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:

“* Hospitals.
* Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
* Oil and gas industry (pipelines, oil refineries).
* Defense industry.
* Non-profit companies.
* Government sector.”

At the moment, BlackMatter has not made any move to attack organizations yet. Perhaps it won’t be long now.

Malwarebytes Labs will keep an eye on BlackMatter and continue to report about it in the future, not forgetting that AvosLocker, another new ransomware variant that popped up roughly in late June or early July, is also currently looking for affiliates they can work with; and, last but not the least, Haron, a potential offshoot of Avaddon and Thanos ransomware operations.