A new ransomware gang has emerged, which claims to be a successor of the notorious Darkside and REvil ransomware groups that went dark in the past few months.
According to BlackMatter, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”
As per Recorded Future researchers, who spotted the new ransomware operation, the group, dubbed BlackMatter, is currently seeking affiliates via ads for recruiting “initial access brokers,” posted on well-known hacker forums Exploit and XSS. The ads say that the group is interested in working with brokers who can provide it access to high-value corporate networks, meaning companies that have revenues of $100 million/year and more. The networks are required to have between 500 and 15,000 hosts and be located in the US, the UK, Canada, or Australia.
BlackMatter offers a $3,000-$100,000 price range for network access, as well as the share from the potential ransom amount. BlackMatter has a deposit of 4 bitcoins ($110,000) on the forum Exploit, according to the researchers.
The group says it has the ability to encrypt different operating system versions and architectures, including Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices (Synology, OpenMediaVault, FreeNAS, and TrueNAS).
The group also operates a so called leak site (currently empty) on the dark web. Such websites are usually used by ransomware gangs to publish data stolen from hacked companies and organizations if victims fail to pay a ransom.
In a section on its website the group listed targets it will not attack. These include hospitals, critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities), oil and gas industry (pipelines, oil refineries), defense industry, non-profit companies, government sector.