Critical Infrastructure Security , Fraud Management & Cybercrime , Governance & Risk Management
BlackMatter Ransomware Appears to Be Spawn of DarkSideThe 'Darkside Rebrand' Signals the Return of More Supposedly Defunct Ransomware
Someone wielding DarkSide ransomware helped to launch the BlackMatter operation, security experts say.
See Also: 2022 Unit 42 Ransomware Threat Report
The new BlackMatter ransomware-as-a-service operation announced its launch last month via Russian-language cybercrime forums. "The project has incorporated in itself the best features of DarkSide, REvil and LockBit," a user with the handle "BlackMatter" claimed in July 19 posts, threat intelligence firm Recorded Future reported (see: BlackMatter Ransomware Claims to Be Best of REvil, DarkSide).
While ransomware operations may sometimes claim to retire or pause their attacks, security experts tracking their crypto-locking code in the wild often tell a different story.
Although ransomware operators love bluster, the BlackMatter operation, indeed, looks to have been spawned from at least one prior ransomware effort. Bleeping Computer reports that it was able to obtain a decryptor from a BlackMatter victim and share it with ransomware-hunting expert Fabian Wosar, CTO of security firm Emsisoft, for review. Wosar told the publication that numerous shared characteristics between the BlackMatter and DarkSide code means it's extremely likely they're the same.
"After looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a Darkside rebrand here," Wosar tweeted on Saturday. "Crypto routines are an exact copy pretty much for both their RSA and Salsa20 implementation including their usage of a custom matrix."
A copy of BlackMatter ransomware has also been uploaded by McAfee scientist Christiaan Beek to cybercrime tracking site Abuse.ch's MalwareBazaarDatabase, leading to other security firms also verifying that it's a rebranding of DarkSide.
After looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a Darkside rebrand here. Crypto routines are an exact copy pretty much for both their RSA and Salsa20 implementation including their usage of a custom matrix.— Fabian Wosar (@fwosar) July 31, 2021
"We have seen some indication that currently suggests that at least one actor connected to some DarkSide ransomware operations is aligning themselves with BlackMatter," Kimberly Goody, director of financial crime analysis at Mandiant, tells Bleeping Computer.
As that careful phrasing suggests, seeing someone attack organizations with reskinned DarkSide - now called BlackMatter - doesn't mean that the DarkSide operation, per se, has resurfaced. Instead, one or more individuals possess the code - and, seemingly, the ability to generate both encryptors and decryptors.
DarkSide was run as a ransomware-as-a-service operation, which refers to a business model in which operators supply crypto-locking malware to affiliates. The affiliates then use the malware to infect networks and share in any ransom paid by a victim. Experts say it's common for affiliates to keep 70% of ransoms, with 30% going to operators.
But it's not clear if whoever now has the DarkSide code helped found or run that operation, or if they were an affiliate or obtained the code via other means.
What is clear: Ransomware operations were making money hand over fist, seemingly with nothing to stop them, until the DarkSide operation hit Colonial Pipeline Co. on May 7, disrupting fuel deliveries to much of the U.S. East Coast.
Security experts have told me that the DarkSide affiliate that hit Colonial Pipeline probably didn't even really understand what the organization did.
Regardless, news of the attack provided a clear reminder to the world: Mess with Americans' gas tanks at your peril. The Biden administration has moved to more aggressively counter the ransomware business model, including by threatening Russian President Vladimir Putin that if he doesn't crack down on criminals operating from inside his country's borders, then the U.S. reserves the right to do so.
Passing the Buck
With the caveat that criminals lie, DarkSide blamed the Colonial Pipeline hit on an affiliate. This was disingenuous because DarkSide was a ransomware-as-a-service operation, meaning most - if not all - infections using DarkSide's malware would have been done by affiliates.
"In the affiliate model of ransomware, the affiliates are like contractors that you're responsible for," says Bob McArdle, director of cybercrime research at Trend Micro. "They're not quite like your core group. But they're still people that you're responsible for. And if they go off and do things that are outside your rules, just like in the real world, there's a certain amount of repercussions on you as the company that hired them, for want of a better word."
After Colonial Pipeline paid a $4.4 million ransom to DarkSide, the operation reported on May 13 that its infrastructure was being disrupted, and it said it would cease its operations. Unusually, the FBI also managed to recover some of that ransom.
"In view of the above and due to the pressure from the U.S., the affiliate program is closed. Stay safe and good luck," DarkSide reportedly said on its data leak site. "The landing page, servers and other resources will be taken down within 48 hours."
Ransomware Rebrands and Relaunches
The return of DarkSide's code being used in attacks comes as no surprise.
Security experts to whom I've spoken in recent weeks said they expected any operations that supposedly announced their retirement to quickly return to the fray with a new name and fresh branding. Likewise, affiliates typically work with multiple ransomware operations - often at the same time - meaning that if one closes up shop, many more remain.
Last week, for example, Wosar reported that at least one organization had suffered a fresh attack via the REvil - aka Sodinokibi - ransomware. The group behind that operation went quiet last month, following the July 2 attack it unleashed via Kaseya's remote management software, infecting about 60 of its managed service provider customers and up to 1,500 of their clients' systems. Kudos for Kaseya, however, in that it has obtained a decryptor - the company says it paid no ransom - and has been helping victims decrypt their files.
Whether REvil has made a comeback or someone else has obtained its code is not yet clear.
Yet another example concerns the DoppelPaymer - aka DopplePaymer - operation, which in May stopped posting new victims to its website. But now, the group is back in a new form, rebranded as Grief - for "pay or grief" (see: Ransomware Changes: DoppelPaymer Rebrands; Babuk Evolves).
The impetus for the name change is apparently the operator attempting to trick victims into paying it a ransom, despite the operation having been added to the sanctions list maintained by the U.S. Treasury Department's Office of Foreign Assets Control in 2019, says Brett Callow, a threat analyst at security firm Emsisoft.
"DoppelPaymer is a product of Evil Corp, and Evil likely launched and transitioned to the Grief brand either so organizations would not realize they are breaking OFAC sanctions when paying or, perhaps, to provide them with plausible deniability," he tells me.
So while ransomware operations may sometimes claim to retire or pause their attacks, security experts tracking their crypto-locking code in the wild often tell a different story.