Fusion DarkSide and REvil renamed BlackMatter blackmail king return?Target companies with more than $100 million in revenue

Analysts have discovered that a new ransomware gang started operations this week, claiming to combine the best features of the now-defunct Darkside and REvil ransomware groups.

The new extortion group, called BlackMatter (remember the name, a new extortion king, and another blackmailer), is currently recruiting affiliates (cooperation) through advertisements posted on two cybercrime forums called Exploit and XSS By).

Although advertising for ransomware operations has been banned on both forums since May, the BlackMatter group has not directly advertised its ransomware-as-a-service (RaaS) offering, but posted a recruiting “initial access broker” , a term used to describe individuals with access to a compromised corporate network.

According to the gang’s ads, BlackMatter is interested in partnering with brokers who could grant it access to a network of top businesses — requiring those companies to have annual revenue of $100 million or more.

According to the BlackMatter gang, the target victim needs to have 500 to 15,000 hosts and be located in the US, UK, Canada or Australia.

The BlackMatter team has expressed a willingness to pay up to $100,000 for exclusive access to any of these high-value networks. Once the team finds a suitable target, they use the access granted by the broker to deploy tools that take over the company’s internal systems and then deploy their file-encrypting payload.

The group boasts of being able to encrypt different OS versions and architectures. Includes Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and Network Attached Storage (NAS) devices such as Synology, OpenMediaVault, FreeNAS, and TrueNAS.

BlackMatter also operates a dark web leak site

Like most of today’s top ransomware gangs, BlackMater also operates a site on the dark web — known as the Leaks Site — where it publishes the data from victims if the hacked company doesn’t agree to pay for decrypted files. data stolen from the attacker.

The site is currently empty, and researchers confirm that the BlackMatter group has only been activated this week and has not yet conducted any intrusions. In a section of the website, the BlackMatter group also lists a list of targets they do not intend to attack.This includes[原文]:


Critical infrastructure (nuclear power plants, power plants, water treatment facilities).

Oil and gas industry (pipelines, refineries).

defense industry.

non-profit company.

government departments.

The BlackMatter gang claims that if victims from these verticals become infected, they plan to decrypt their data for free. This section is very similar to what was previously available at the site of the Darkside gang spill, which ceased operations following the attack on US pipeline operator Colonial.

Is BlackMatter DarkSide or REvil?

From the above two links, we know that both the DarkSide and REvil ransomware teams have died and mysteriously shut down. So is the newly established BlackMatte DarkSide or REvil?

Information uncovered by security researchers and similarities across websites and partners may indicate that BlackMatter has been recruited or created by threat actors who have previously participated in DarkSide and REvil ransomware operations.

Because ransomware gangs often change their names to evade law enforcement, when we first reported on DarkSide in August 2020, some security researchers and law enforcement believed that REvil was changing its name to a new DarkSide operation.

However, the two gangs continued to fight side by side for nearly a year, until DarkSide attacked the Colonial Pipeline. Feeling all-out pressure from the U.S. government and law enforcement, DarkSide shut down its operations in May.

DarkSide’s shutdown was first reported by Unknown, REvil’s public-facing representative, who posted about it on a hacker forum. This seems to indicate that the upper levels of the two teams meet, or belong to the same large group.

Two months later, REvil was shut down following a massive attack on global hosting providers through a zero-day Kaseya VSA vulnerability. Like DarkSide, REvil is feeling a lot of pressure from the U.S. government and international law enforcement. Widespread speculation is that the Russian government shut them down and disappeared for a while.

After seeing the BlackMatter Tor site, security researchers discovered that it was very similar to the Tor site of the now-defunct DarkSide ransomware. Both pages share similar color themes, similar language, similar ways of calling themselves, and include a list of targets they won’t attack.

“The project has incorporated the best features of DarkSide, REvil and LockBit,” BlackMatter said.

Finally, cybersecurity firm Mandiant is seeing signs that hackers previously linked to DarkSide are now working with BlackMatter. “We’ve seen some signs that at least one actor involved in certain DARKSIDE ransomware operations is currently aligning with BLACKMATTER,” said Kimberly Goody, director of financial crime analysis at Mandiant. “This is not necessarily surprising, as we often see ransomware affiliates working with multiple providers.”

While many clues suggest this could be a rebrand of DarkSide, or possibly created by actors from both groups, we can’t be sure until a code similarity analysis of the ransomware samples is performed.

The encryption algorithm found in the decryptor shows that the notorious DarkSide ransomware gang has been renamed the new BlackMatter ransomware operation and is actively targeting corporate entities. This week, we learned that BlackMatter is targeting multiple victims with ransom demands ranging from $3 to $4 million.

This week, a victim has paid a $4 million ransom to BlackMatter to delete stolen data and obtain Windows and Linux ESXi decryptors.

While researching new ransomware groups, researchers discovered decryptors from BlackMatter victims and shared them with Emisosft CTO and ransomware expert Fabian Wosar. After analyzing the decryptor, Wosar confirmed that the new BlackMatter group was using the same unique encryption method that DarkSide used in its attack.

BlackMatter uses nearly the same encryption procedures as DarkSide, including a custom Salsa20 matrix unique to DarkSide, Wosar said. When encrypting data using the Salsa20 encryption algorithm, the developers provide an initial matrix of 16 32-bit words.

When encrypting files, Fabian said, instead of using constant strings, locations, nonces and keys for each encrypted file, DarkSide fills in words with random data. This matrix is ​​then encrypted using the public RSA key and stored in the footer of the encrypted file.

Fabian says this Salsa20 implementation was previously only used by DarkSide, and now BlackMatter. The researchers were also told that DarkSide uses RSA-1024 unique to its cipher, which is also used by BlackMatter.

While there’s no 100% proof that BlackMatter is a rebrand of Operation DarkSide, many similar traits make it hard to believe that’s not the case. When we adopt the same encryption algorithm, similar language used on BlackMatter’s website, similar desire for media attention, and similar color theme for their TOR website, it all ends up pointing to BlackMatter’s very, very suspected new DarkSide.

Unfortunately, this is a highly skilled team targeting multiple appliance architectures, including Windows, Linux, and ESXi servers. Therefore, we need to keep a close eye on this new group as they will certainly be targeting well-known targets in the future.

The Links:   LM14X79 B141XG09-V1

Related Posts