The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide

New BlackMatter ransomware

Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil.

In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial Pipeline company, which attracted too close attention of the authorities to hackers.

Several companies have already suffered from BlackMatter, and hackers demanded a ransom from them in the amount of $ 3 to 4 million, Bleeping Computer now reports. One victim has already paid the cybercriminals $ 4 million and received an ESXi decryptor for Windows and Linux from them.

New BlackMatter ransomware

The journalists showed this tool to the information security expert and the technical director of the Emisosft company Fabian Vosar. He confirmed that BlackMatter uses the same unique encryption methods that the DarkSide group used in their attacks (including the special Salsa20 matrix, unique to this group).

The publication also notes that if BlackMatter is just a “rebranding” of DarkSide, this explains some of the limitations listed on the hackers’ site. So, among other things, the group reports that it is not going to attack “the oil and gas industry (pipelines, oil refineries).” Let me remind you that it was the attack on the operator of the Colonial Pipeline that led to the “closure” of DarkSide.

Meanwhile, at the beginning of this week, an expert analyst of Recorded Future, interviewed a representative of the new extortionist group. BlackMatter denies being involved with DarkSide; instead, the hackers say they were only inspired by “the work of colleagues.”

Darkside is relatively new software with a good codebase (partly problematic, but the ideas themselves deserve attention) and an interesting web part when compared to other RaaS. [Our] executable file incorporates ideas from LockBit, REvil and partly DarkSide. The web part has incorporated the technical approach of DarkSide, as we consider it the most structurally correct (separate companies for each goal, and so on).the criminals say.

When Smilyanets directly asked if representatives of the group could confirm that their infrastructure is based on DarkSide, they replied:

We can say for sure that we are fans of the dark theme in design and have known the DarkSide team for collaboration in the past, but we are not them, although their ideas are close to us.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *