New cybercriminal group BlackMatter called ‘rebranding’ of REvil and DarkSide

A new cybercriminal group, BlackMatter, has formed as a potential successor to the ransomware gangs responsible for major attacks hitting U.S. critical infrastructure, according to cyber intelligence professionals.

The cyber intelligence company Recorded Future said the BlackMatter group has incorporated features from ransomware gangs REvil and DarkSide.

The REvil group went dark earlier this month after hitting software company Kaseya and its customers, while the DarkSide gang appeared to dissipate after its hit on major U.S. fuel supplier Colonial Pipeline in May. 

BlackMatter has pledged not to hit certain industries, including critical infrastructure, defense, healthcare, oil and gas, and governments among others, according to Recorded Future. But BlackMatter is targeting companies and entities with revenues of $100 million or more.

“BlackMatter, a member of the top-tier forum Exploit and likely an operator of BlackMatter ransomware, is currently advertising the purchase of access to corporate networks in the U.S., Canada, Australia, and the U.K.,” Recorded Future’s Insikt Group wrote on the company’s website. 

The risk intelligence firm Flashpoint also has labeled BlackMatter as a “possible rebranding” of REvil and DarkSide but was more cautious in asserting BlackMatter’s connection to the other ransomware gangs. 

About a week after REvil looked to be shutting down, Flashpoint said it observed BlackMatter registering on Russian-language illicit websites and putting six-figure dollars sums of cryptocurrency into an escrow account. Flashpoint also noted that REvil’s spokesperson and BlackMatter appear to share a common understanding of acceptable targets.

“While the information may not be a smoking gun, it may indicate that REvil has not gone totally offline, but merely took a small hiatus following some high-profile breaches,” Flashpoint wrote on its website. “It is also important to note that two posts and a large escrow account do not make a ransomware group. It is possible that copycats are intentionally mimicking the behavior of REvil to gain immediate credibility for allegedly being the reincarnation of REvil.”

BlackMatter is not the only cybercriminal entity with links to REvil and DarkSide that have emerged after those gangs’ digital presence faded. Last month, cybersecurity firm FireEye said it detected a DarkSide affiliate targeting closed-circuit television software users. 

Tracking cyberattackers and ransomware gangs is complicated, and the FBI previously told The Washington Times that it is tracking about a hundred different variants of ransomware responsible for dozens to hundreds of attacks. 

Bryan Vorndran, assistant director in the FBI’s cyber division, told the Senate Judiciary Committee this week that the federal government has built an algorithm that tracks the worst ransomware attackers. 

“We have an entire interagency algorithm that essentially prioritizes from one to 101 the level of impact that each variant has had on the United States, its economy, and its other various equities,” Mr. Vorndran said. “The largest one that we know of, we would estimate that their revenue from attacks exceeds 200 million dollars to give you some type of scope on the value proposition.”