A new cyber ransomware group entered the cybercriminal arena this week, claiming that it is the successor to the now- infamous and now-defunct Darkside and REvil.
According to information security company Recorded Future, BlackMatter is currently looking for partners and has already posted relevant announcements on the Exploit and XSS hacker forums. The advertising of ransomware services on these two forums has been banned since May of this year, but the group does not violate this ban. BlackMatter is not advertising Ransomware-as-a-Service (RaaS) itself but is looking for so-called initial access brokers selling access to compromised corporate networks.
According to the ad, the group is only interested in accessing large companies with annual revenues of $ 100 million or more. The company’s network must be located in the US, UK, Canada or Australia, and its network must have 500-1500 hosts. For exclusive access to such a network, BlackMatter is ready to pay up to $ 100,000. Having chosen a suitable target, cybercriminals will use the access to its network purchased from a broker, use tools to gain control over the company’s internal systems, and then deploy ransomware on the network.
According to the grouping, it has the ability to encrypt data on different operating systems and on different architectures. This includes Windows (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices including Synology, OpenMediaVault, FreeNAS, and TrueNAS.
Like other top cyber ransomware groups, BlackMatter has its own leak site, where data stolen from victims who refused to pay the ransom will be published. The site went live this week, and so far there is no data on it (apparently, the group has not yet begun its operations).
According to the site of the leaks, BlackMatter will not attack hospitals, critical infrastructure (power plants, including nuclear power plants, water treatment plants, etc.), the oil and gas industry (fuel pipelines and refineries), defence enterprises, non-profit organizations and the government sector. If an organization from this list becomes a victim of the ransomware by mistake, the ransomware promises to decrypt its data for free.
The above list is very similar to the list previously published by the Darkside group, which ceased operations after a sensational attack on the American pipeline operator Colonial Pipeline.
Catch up on more articles here
Follow us on Twitter here