Digital sleuths at cyber threat intelligence firms have found clues that a seemingly new ransomware organization has links to DarkSide and REvil, two gangs that suddenly disappeared shortly after major attacks.
From the moment DarkSide vanished following the Colonial Pipeline incident and REvil went dark after locking up JBS and customers of Kaseya, questions swirled about whether a government took them down, whether attackers quit, or whether they simply went underground to rebrand. Flashpoint, Mandiant and Recorded Future on Tuesday and Wednesday said they discovered at least some connection between DarkSide and/or REvil and BlackMatter, a group that emerged last week.
“The project has incorporated in itself the best features of DarkSide, REvil, and LockBit,” BlackMatter itself proclaimed, according to Recorded Future. LockBit is another ransomware operation that first appeared in 2019, and all three are thought to operate out of Russia. Exactly what “best features” BlackMatter borrowed from other groups remains unclear.
While Recorded Future declared BlackMatter a “successor” to DarkSide and REvil, the other two companies didn’t reach definitive conclusions. Flashpoint said BlackMatter very well could amount to a rebranding.
The group registered on two Russian-language forums on July 19 and deposited approximately $110,000 in its escrow account.
Whoever they are, the hackers are now seeking to purchase access to corporate networks in the U.S., Canada, Australia and U.K. with an emphasis on targets with at least $100 million in revenue. BlackMatter says it won’t go after medical and government organizations.
Flashpoint pointed out that some of those targeting rules are similar to the ideals espoused, if not practiced, by the REvil spokesperson with the handle “Unknown.” The firm also said that REvil previously labeled their Windows registry key “BlackLivesMatter.”
The Russian forums where BlackMatter registered, XSS and Exploit, announced a ransomware discussion ban in May after the Colonial Pipeline hack. Shortly after, the website for the group that’s been widely blamed for the breach, went offline. After the Kaseya hack this month, the REvil site went down, while the XSS forum banned the Unknown spokesperson on the same day.
Mandiant pointed to another link to DarkSide, with caveats.
“We have seen some indication that currently suggests that at least one actor connected to some DARKSIDE ransomware operations is aligning themselves with BLACKMATTER,” Kimberly Goody, director of financial crime analysis at Mandiant Threat Intelligence, said in an email. “This isn’t necessarily surprising as we commonly see ransomware affiliates partnering with multiple providers.”
Ransomware gangs have proven fluid in their business operations, structuring themselves as partnerships, as conglomerates or offering an affiliate model where they lend other crooks access to their custom ransomware and other infrastructure in exchange for a share of profits.
Recorded Future said the party that registered the BlackMatter name on the Exploit forum is likely an operator of BlackMatter-labeled ransomware. The group has a public “BlackMatter ransomware” blog.
However, BlackMatter was more coy on the two Russian forums.
“BlackMatter does not openly state that they are a ransomware collective operator, which technically doesn’t break the rules of the forums, though the language of their post, as well as their goals clearly indicate that they are a ransomware collective operator,” Flashpoint wrote.