New Ransomware Gang BlackMatter Hits the Ground Running

 Although the REvil group is presumed dead, a new hacker conglomerate has taken its place and appears to be using some of the REvil malware to accomplish its goals.

What is Happening?

Data Breach Today reports that a new malware actor calling itself BlackMatter may be a resurrection of the REvil and DarkSide gangs. The news comes from an announcement that a hacker nicknamed "BlackMatter" posted on two Russian forums this month announcing the opening of this new group and 'saying it offered a "greatest hits" take on some of the most notorious ransomware operations in history.'

In one of the notices, BlackMatter claims that "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit."

Is REvil Really Gone?

Cybersecurity threat assessors wonder if the REvil group is actually disbanded since the group disappeared after the attack on Kaseya on July 2.

Data Breach Today comments that "The emergence of BlackMatter follows REvil apparently shutting down following the July 2 attack it unleashed via Kaseya's remote management software, infecting about 60 of its managed service provider customers and up to 1,500 of their clients' systems. On Thursday, Kaseya said it had  obtained the ability to decrypt every victim's files  and was helping them do so. On Monday, it issued a statement clarifying that it had  not paid a ransom  to REvil for a decryptor."

Shortly after, on July 13, REvil shut down its data leak site and payment portal, fueling rumors that the group was retired. The White House theorizes that perhaps the shutdown was simply a ruse before rebranding and returning stronger than ever.

CTO of Emsisoft, Fabian Wosar, posted on Twitter "REvil is back … at least sort of. We have seen a victim that was clearly hit by a patched REvil variant. The attacker likely patched an existing REvil payload to leave out the key blob that is usually encrypted, with the operator blob nulling it out."

Data Breach Today elaborates, "Wosar says whoever is wielding REvil may be one or more former affiliates of one or more ransomware-as-a-service operations. In such operations, administrators develop crypto-locking malware, which affiliates access as a cloud-based service via a portal. Affiliates use the code to infect organizations, and whenever a victim pays a ransom, the affiliate and the operation's administrators share in the profits."

Keep an Eye Out for BlackMatter

The user account for BlackMatter was registered on July 19, and shortly after, the user started advertising for help offering $3,000-$100,000 for access brokers. Additionally, the same user opened up an account with Exploit and deposited 4 bitcoins ($120,000).

Data Breach Today explains, "Escrow accounts  are used by forums to protect buyers and sellers. For example, if a seller provides a service and a buyer fails to pay, the seller can file a complaint with the forum. If it's upheld, the forum can debit the amount from the buyer's escrow account to compensate the seller."

Threat assessors see that initial investment as a serious threat to keep an eye on. On July 21, BlackMatter "posted a notice on the forums, stating they are looking to purchase access to infected corporate networks in the U.S., Canada, Australia, and the U.K."

The group's data leak site promises they will not attack "hospitals, organizations that operate critical infrastructure, defense contractors or government agencies, among other types of targets."

Their ads to recruit new talent includes strict requirements, presumably to ensure the candidates are not undercover law enforcement agents.

Regardless of whether or not these new bad actors are part of REvil or DarkSide, the threat remains real and imminent.