Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil. In particular, then the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial Pipeline company, which attracted too close attention of the authorities to hackers.
Several companies have already suffered from BlackMatter, and hackers demanded a ransom from them in the amount of 3 to 4 million dollars, Bleeping Computer now reports . One victim has already paid the attackers $ 4 million and received an ESXi decryptor for Windows and Linux from them.
The journalists showed this tool to the information security expert and the technical director of the Emisosft company Fabian Vosar. He confirmed that BlackMatter uses the same unique encryption methods that the DarkSide group used in their attacks (including the special Salsa20 matrix unique to this group).
The publication also notes that if BlackMatter is just a “rebranding” of DarkSide, this explains some of the limitations listed on the hackers’ site. So, among other things, the group reports that it is not going to attack “the oil and gas industry (pipelines, oil refineries).” Let me remind you that it was the attack on the operator of the Colonial Pipeline that led to the “closure” of DarkSide.
Meanwhile, at the beginning of this week, Dmitry Smilyanets, an expert analyst at Recorded Future, interviewed a representative of a new extortionist group. BlackMatter denies being involved with DarkSide; instead, the hackers say they were only inspired by “the work of colleagues.”
“Darkside is relatively new software with a good codebase (partly problematic, but the ideas themselves deserve attention) and an interesting web part when compared to other RaaS. [Our] executable file incorporates ideas from LockBit, REvil and partly DarkSide. The web part has incorporated the technical approach of DarkSide, as we consider it the most structurally correct (separate companies for each goal, and so on), ”the criminals say.
When Smilyanets directly asked if the group’s representatives could confirm that their infrastructure is based on DarkSide, they replied:
“We can say for sure that we are fans of the dark theme in design and have known the DarkSide team for collaboration in the past, but we are not them, although we are close to their ideas.”