Are you aware that both the REvil and DarkSide ransomware gangs have allegedly left the ransomware party? Now, a new ransomware group claims to be the successor of these two gangs.

What’s going on?

The emergence of a new threat actor following the shut down of DarkSide and REvil leaves us questioning its origins and possible, rebranding. BlackMatter is looking for affiliates and has posted ads on two cybercrime forums - XSS and Exploit.

Connection with REvil

BlackMatter shares similar targeting rules as those claimed by UNKN (REvil’s spokesperson), including not targeting healthcare and government facilities and non-profits.
  • They use the same tactic involving public corporate databases to scout for potential targets.
  • In addition to this, REvil’s Windows Registry key was labeled BlackLivesMatter.

All the above points indicate that REvil may not have completely disappeared but took a brief break from all the attacks. However, the prospect that this group might be a copycat, intentionally copying REvil to gain rapid credibility should not be disregarded. 

Connection with DarkSide

  • BlackMatter’s leak site is eerily similar to DarkSide’s leak site that is now defunct. 
  • Furthermore, BlackMatter explicitly stated that it will not target any critical infrastructure, as a nod to the Colonial Pipeline line attack by DarkSide. 
  • Nevertheless, no concrete evidence has been spotted to connect the two gangs and the investigation continues. 

The bottom line

These days, there’s no shortage of ransomware actors on the dark web. New threat actors are emerging as they feel the need to fill up the void left by REvil and DarkSide. BlackMatter is currently looking for affiliates with access to large corporate networks in the U.S., the U.K, Australia, or Canada. While the group does not openly state that it is an operator of a ransomware collective to steer away from scrutiny, its goals are a clear indication of it being one.

Cyware Publisher