BlackMatter Ransomware

BlackMatter Ransomware Description

It seems that the void left after two of the biggest ransomware operations decided to shut down their activities suddenly, is now starting to be filled by new players in fields. REvil and Darkside ceased operations after the groups performed massive ransomware attacks that, apparently, attracted too much-unwanted attention. REvil compromised the networks of the global meat producer JBS and managed network services provider Kaseya, while Darkside disrupted the operations of the oil pipeline operator Colonial Pipeline. 

Now, a new ransomware outfit named BlackMatter is claiming to have incorporated the capabilities of both REvil and Darkside. The analysts at Recorded Future discovered the group advertising itself on underground hacker forums. To bypass the recent decision of the forums to ban posts dealing with RaaS (Ransomware-as-a-Service) schemes, BlackMatter is instead looking for 'initial access brokers.' What this means in practice, is that the newly-established ransomware gang is looking to buy access to already compromised corporate networks. 

Victims Must Meet Strict Requirements

In the posted advertisements, BlackMatter state that they are interested only in the biggest enterprises operating in four specific countries - the US, Canada, Australia and the UK. The potential victims also must have yearly revenue of $100 million or higher. Furthermore, the breached networks must have between 500 and 15 thousand hosts. For targets that meet the criteria, the hackers are willing to pay up to $100, 000 to guarantee their exclusive access. 

Once the group has obtained access to the chosen corporate network, it will release threatening tools tasked with establishing control over the internal systems. The next step is to deploy encryption threats to lock the data stored on the infected devices. BlackMatter, apparently, is ready to compromise a large set of different systems including Windows, Linux, network-attached storage (NAS) devices and VMWare ESXi 5+ virtual endpoints.

Leak Site on the Dark Web

Exactly like most current ransomware gangs, BlackMatter also has crafted its own dedicated leak site hosted on the Dark Web. According to the Recorded Future researchers, the site is empty at the moment, a testament to the group forming only recently. There is some evidence casting doubt on this assumption though. A section on the newly emerged leak site that describes a list of entities that will not be targeted by the group bears a striking similarity to what was available on Darkside's site previously. The infrastructure of the BlackMatter operation that has been detected by analysts so far also may provide a connection to Darkside, but at the moment nothing is conclusive enough. 

Still, according to its site, BlackMatter will actively avoid compromising hospitals, critical facilities such as power plants, oil and gas industry organizations, non-profit organizations, and other entities with public importance. The hackers promise that if by accident they encrypt the systems of a company from one of the excluded sectors, they would then assist with the free decryption of all locked data.