After the infamous cyber ransomware group DarkSide scrapped its operations last month, a new group, BlackMatter, has emerged, claiming to be the successor to DarkSide and REvil.
The group published announcements on hacker forums about finding partners and willingness to pay $ 100 thousand for access to hacked networks of companies whose annual income is at least $ 100 million. Now BlackMatter gave the first interview in which she spoke about her ransomware and plans for the future. The conversation with the analyst of the information security company Recorded Future Dmitry Smelyants was conducted in Russian.
According to a BlackMatter spokesman, the group has been working on ransomware of the same name for six months. Before embarking on the development of the project, she studied in detail the ransomware programs LockBit, REvil and DarkSide and took the best from them.
At LockBit, the developers appreciated the good codebase but were unhappy with the inconvenient panel.
“Compared to a car, it’s like a Japanese car with a good engine, but an empty and dysfunctional interior. You can ride, but not much fun, “- said a representative of BlackMatter.
The ransomware REvil is good at everything – time-tested software that has changed little since the days of GandCrab, and a functional panel. However, it “focused more on the total number of successful downloads, rather than on specific target cryptography.”
At DarkSide, the developers liked a good codebase with interesting new ideas and “a more interesting web part than other RaaS”.
As the interlocutor of Smelyants explained, the executable part of the BlackMatter ransomware is based on the ideas of LockBit, REvil and partly DarkSide. The web component of the program is based on the web component DarkSide, since the developers considered it “the most correct in terms of structure” (separate companies for each target, etc.).
There are no victims listed on the site of the BlackMatter leak yet, but this does not mean that there are none. The group has already attacked several companies and is currently negotiating a ransom with them. While negotiations are underway, information about the victims is not published on the site.
When asked whether BlackMatter is a new name for the same DarkSide (the operations of the two groups have a lot in common ), Smelyants’ interlocutor replied that the group admires the work of its colleagues from DarkSide and is familiar with it firsthand – they used to work together.
“But we are not them, although their ideas are close to us,” the interlocutor assured.
The group plans to constantly improve its product, adding new features to it, and is currently recruiting a team. BlackMatter is of interest only to experienced penetration testers with their “own solutions and desire to make money,” and all script kiddies will be eliminated.
A BlackMatter spokesman said that the recent departure from the cyber ransomware arena of such major players as DarkSide, REvil, Avaddon and BABUK is largely due to the geopolitical situation in the world.
“First of all, it is the fear of the United States and its intention to conduct offensive cyber operations, as well as the dual nature of cyber ransomware. We monitor the political situation and receive information from other sources. We designed our infrastructure with all these factors in mind and we can confidently say that we are able to withstand the offensive cyber capabilities of the United States, “- said a spokesman for BlackMatter.
Time will tell how long the group will hold out, but BlackMatter is aimed at long-term operations. Careful moderation of victims (attacks on critical infrastructure and the oil and gas industry are prohibited in BlackMatter) will help her avoid unwanted attention from the authorities.
“We created a project and brought it to the market exactly at the time when the niche was vacated, and this project fully meets all the requirements of the market, which means that success is inevitable,” BlackMatter said.