28 July 2021

New successor of Darkside and REvil ransomware groups emerges on threat landscape


New successor of Darkside and REvil ransomware groups emerges on threat landscape

A new ransomware gang has emerged, which claims to be a successor of the notorious Darkside and REvil ransomware groups that went dark in the past few months.

According to BlackMatter, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”

As per Recorded Future researchers, who spotted the new ransomware operation, the group, dubbed BlackMatter, is currently seeking affiliates via ads for recruiting “initial access brokers,” posted on well-known hacker forums Exploit and XSS. The ads say that the group is interested in working with brokers who can provide it access to high-value corporate networks, meaning companies that have revenues of $100 million/year and more. The networks are required to have between 500 and 15,000 hosts and be located in the US, the UK, Canada, or Australia.

BlackMatter offers a $3,000-$100,000 price range for network access, as well as the share from the potential ransom amount. BlackMatter has a deposit of 4 bitcoins ($110,000) on the forum Exploit, according to the researchers.

The group says it has the ability to encrypt different operating system versions and architectures, including Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices (Synology, OpenMediaVault, FreeNAS, and TrueNAS).

The group also operates a so called leak site (currently empty) on the dark web. Such websites are usually used by ransomware gangs to publish data stolen from hacked companies and organizations if victims fail to pay a ransom.

In a section on its website the group listed targets it will not attack. These include hospitals, critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities), oil and gas industry (pipelines, oil refineries), defense industry, non-profit companies, government sector.

Back to the list

Latest Posts

Turla APT targets entities in US, Germany and Afghanistan with new backdoor

Turla APT targets entities in US, Germany and Afghanistan with new backdoor

The TinyTurla backdoor is used to maintain access to the target system even if the primary malware is discovered and removed.
22 September 2021
Microsoft shares details on huge BulletProofLink PHaaS

Microsoft shares details on huge BulletProofLink PHaaS

BulletProofLink has been active since 2018 and is currently advertised on underground hacker forums.
22 September 2021
US Treasury sanctions Suex cryptocurrency exchange linked to ransomware operations

US Treasury sanctions Suex cryptocurrency exchange linked to ransomware operations

The Treasury Department said that over 40 percent of Suex known transactions is associated with illegal activity.
22 September 2021