Askhat -

New 'BlackMatter' ransomware gang has echoes of REvil

Although connections are being made between ransomware groups REvil and BlackMatter, the jury is still out on whether they have threat actors in common.

A new ransomware actor is in town, and it appears to have similarities with the recently vanished REvil and DarkSide gangs.

Threat intelligence vendor Flashpoint published research Tuesday regarding the recent appearance of a new ransomware threat actor going by the name "BlackMatter." According to the vendor's report, BlackMatter made accounts on Russian-language hacking forums XSS and Exploit on July 19 and deposited four bitcoin, which is just under $160,000. Two days later, they posted a ransomware ad.

"On July 21, the threat actor posted a notice on the forums, stating they are looking to purchase access to infected corporate networks in the US, Canada, Australia, and the UK, presumably for ransomware operations," Flashpoint's blog post read. "The threat actor said they are looking for larger corporate networks with revenues of over US $100 million."

In addition to being a new, potentially serious threat group, BlackMatter shares a few similarities with two notorious ransomware gangs: REvil, of the recent ransomware supply chain attack against Kaseya, and DarkSide, which was responsible for the Colonial Pipeline ransomware attack.

Flashpoint made four primary connections between REvil, BlackMatter and, to a lesser extent, DarkSide. First, the timing: DarkSide was banned from the widely known XSS, Exploit and Raid forums after the pipeline attack, and REvil spokesperson "UNKN" was banned from XSS July 13, the day its leak site went down. UNKN "relayed DarkSide's shutdown through a forum post," BlackMatter and REvil both explicitly say they will not target medical and government institutions, and according to FlashPoint, "REvil previously labeled their Windows Registry key 'BlackLivesMatter.'"

The vendor speculated that while not a smoking gun, "it may indicate that REvil has not gone totally offline, but merely took a small hiatus following some high-profile breaches." Flashpoint added, "It is also important to note that two posts and a large escrow account do not make a ransomware group. It is possible that copycats are intentionally mimicking the behavior of REvil to gain immediate credibility for allegedly being the reincarnation of REvil."

BlackMatter ransomware dark web leak site
A dark web ransomware leak site from BlackMatter that promises not to hit hospitals, oil pipelines and governments.

In an email to SearchSecurity, Flashpoint senior director of research and analysis Ian Gray clarified that the vendor's analysts can assess "with low to moderate confidence that BlackMatter is a successor to REvil," and that there is no concrete evidence connecting DarkSide to BlackMatter.

Recorded Future's Insikt Group also made connections between the three actors in its Tuesday report. According to the vendor, BlackMatter has described itself as "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit."

Emsisoft threat analyst Brett Callow told SearchSecurity that he doubts DarkSide would maintain any association with a new operation, given its current reputation.

"Darkside closed shop under a cloud, having failed to pay their affiliates after the seizure of their BTC [bitcoin] funds by law enforcement. Given that their reputation is significantly damaged, it would make little sense for them to purposefully link a new operation to the DarkSide brand," he said.

The Recorded Future research also mentioned BlackMatter's new ransomware blog, which SearchSecurity independently accessed. It contained promises from the actor not to attack hospitals, critical infrastructure, oil and gas pipelines and refineries, defense, nonprofit organizations and governments, offering free decryption for anyone attacked in these sectors. The gang promises "honesty and transparency" in its dealings, though what that means for a ransomware gang is unknown.

On BlackMatter's home page, no leaks are present. Instead, it has a message: "All blogs hidden for now. For a very short time."

Callow expressed doubt that BlackMatter is directly connected with other big-name ransomware gangs, but said that it's too soon to tell.

"I suspect BlackMatter is operated by low-level skids who foolishly believe they can benefit from associating themselves with a well-known group," Callow said. "But who knows? Criminals aren't necessarily smart and don't necessarily make good or logical decisions. Until we obtain a sample of the ransomware, it's impossible to say what, if any, links may exist between BlackMatter and other groups."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Accenture responds to LockBit ransomware attack

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing