Expectedly, weeks after remaining underground, the notorious DarkSide is back in action. As observed, the DarkSide gang has reemerged as BlackMatter ransomware gang that is actively targeting enterprises.
DarkSide Reemerged As BlackMatter
Reportedly, a new ransomware gang has surfaced online on underground forums with a possible list of ransomware victims too.
As different security researchers noticed, the new threat has branded itself as “BlackMatter Ransomware” interested in network accesses to enterprises.
Initially, it seemed that the ransomware gang has arisen from the REvil and DarkSide.
#REvil -> #BlackMatter ?? pic.twitter.com/yGIKl9KcL5
— pancak3 (@pancak3lullz) July 27, 2021
Both the notorious ransomware gangs went offline recently after attracting unwanted attention from the media and the security agencies.
Precisely, DarkSide ransomware went offline soon after the devastating attack on the Colonial Pipeline oil project. Whereas REvil went offline more recently after it disrupted thousands of businesses via the Kaseya zero-day exploit.
However, digging deep into the BlackMatter structure and activities shows that it’s actually the DarkSide that has reemerged as BlackMatter.
According to RecordedFuture and Bleeping Computer, BlackMatter exhibits a similar target list and encryption strategy as that of the DarkSide.
After looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a Darkside rebrand here. Crypto routines are an exact copy pretty much for both their RSA and Salsa20 implementation including their usage of a custom matrix.
— Fabian Wosar (@fwosar) July 31, 2021
About BlackMatter Ransomware
The new gang is actively soliciting network access to big companies on the dark web. Basically, they have put up ads seeking corporate networks from firms in the United States, Canada, Australia, and the UK.
BlackMatter has also established a data leak site that already lists a few victims. One of those victims has even paid the said ransom of $4 million.
Elaborating more in its “About” section, the ransomware has mentioned the following sectors that they won’t attack. Notably, it mentions the oil and gas sector too – possibly, a lesson learned from the Colonial Pipeline incident.
- Hospitals
- Critical infrastructure including nuclear power plants, water treatment plants, and power plants
- Oil and gas industry (pipelines and refineries)
- Non-profit firms
- Defense industry
- Government sector
It’s presently unclear if the actual threat actors behind BlackMatter are also the ones behind DarkSide, or BlackMatter is a spin-off from some other adversaries.