28 July 2021

New successor of Darkside and REvil ransomware groups emerges on threat landscape


New successor of Darkside and REvil ransomware groups emerges on threat landscape

A new ransomware gang has emerged, which claims to be a successor of the notorious Darkside and REvil ransomware groups that went dark in the past few months.

According to BlackMatter, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”

As per Recorded Future researchers, who spotted the new ransomware operation, the group, dubbed BlackMatter, is currently seeking affiliates via ads for recruiting “initial access brokers,” posted on well-known hacker forums Exploit and XSS. The ads say that the group is interested in working with brokers who can provide it access to high-value corporate networks, meaning companies that have revenues of $100 million/year and more. The networks are required to have between 500 and 15,000 hosts and be located in the US, the UK, Canada, or Australia.

BlackMatter offers a $3,000-$100,000 price range for network access, as well as the share from the potential ransom amount. BlackMatter has a deposit of 4 bitcoins ($110,000) on the forum Exploit, according to the researchers.

The group says it has the ability to encrypt different operating system versions and architectures, including Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices (Synology, OpenMediaVault, FreeNAS, and TrueNAS).

The group also operates a so called leak site (currently empty) on the dark web. Such websites are usually used by ransomware gangs to publish data stolen from hacked companies and organizations if victims fail to pay a ransom.

In a section on its website the group listed targets it will not attack. These include hospitals, critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities), oil and gas industry (pipelines, oil refineries), defense industry, non-profit companies, government sector.

Back to the list

Latest Posts

Windows MSHTML bug used in ransomware attacks, Microsoft says

Windows MSHTML bug used in ransomware attacks, Microsoft says

According to the Windows maker, in the wild exploitation of CVE-2021-40444 began on August 18.
17 September 2021
State-backed hackers actively exploiting recently disclosed Zoho RCE bug

State-backed hackers actively exploiting recently disclosed Zoho RCE bug

The targeted entities include academic institutions, defense contractors, as well as critical infrastructure entities.
17 September 2021
Free REvil/Sodinokibi ransomware universal decryptor released

Free REvil/Sodinokibi ransomware universal decryptor released

The tool works for all REvil victims whose files were encrypted in attacks prior to July 13, 2021.
17 September 2021
Featured vulnerabilities
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in cflinuxfs3
Medium Patched | 17 Sep, 2021
Information disclosure in Git
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in GLPI
Medium Patched | 17 Sep, 2021
Multiple vulnerabilities in cflinuxfs3
Medium Patched | 17 Sep, 2021