New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


BlackMatter Ransomware Comes Out of the Shadows as Darkside and REvil Successor

Insikt Group, a team of researchers from Recorded Future, published an article on July 27th about a new ransomware-as-service (RaaS) called BlackMatter. The threat actors behind the service claim that “the project has incorporated in itself the best features of DarkSide, REvil, and LockBit.”

BlackMatter operates a website on the dark web, called a leak site, where they intend to publish data they have stolen from victims if the victim does not pay the extortion demand. It is currently empty, which indicates they have only recently launched and have not carried out any intrusions so far, or at least they have not ended any negotiations with victims. They are using two popular forums called XSS to Exploit to advertise their ransomware, even though many criminal forums have banned discussion of ransomware using their platforms.

The group claims that they will not attack certain industries such as hospitals, critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities), oil and gas industry (pipelines, oil refineries), defense industry, non-profit companies, or government agencies. They also claim if any of these industries become victims, BlackMatter will decrypt their data for free. The Record notes that this wording is “eerily similar” to a section on a leak side of the Darkside group which has since ceased operations.

DarkMatter boasts its ability to encrypt various operation system versions and architectures including a Windows variant with Safe Mode support, and a Linux variant with network-attached storage support (NAS) such as Synology, OpenMediaVault, FreeNAS, and TrueNAS. They claim the ransomware was successfully tested on Linux ESXI 5+, Ubuntu, Debian, and CentOS and Windows Server 2003+ and Windows 7+.

Analyst Notes

To protect against ransomware attacks, it is advised to regularly back-up data as well as password protect backups. Developing a continuous monitoring program or hiring a third-party security provider is another precaution that is strongly advised. Providing training for employees on issues such as not reusing passwords, not opening attached document files, and always enabling multifactor authentication can help prevent an attack before it could even start. Centralized logging is a crucial asset to have when an attacker comes so incident responders will be able to assess the situation quickly and remove the threat.