A new ransomware gang called BlackMatter has been in the spotlight recently after high-profile hacks occupied headlines.
Who is BlackMatter?
Many of these high-profile attacks have been carried out by ransomware gangs. The far-reaching but short-lived attack on the Colonial Pipeline, for example, was performed by a group calling itself DarkSide. The hack of Kaseya that took place in July of this year was performed by REvil.
DarkSide and REvil all but disappeared from the internet soon after their hacks became major news. Increased scrutiny from authorities, thanks in part to their ability to circumvent the gangs’ reliance on the perceived anonymity provided by cryptocurrency, placed them in the international crosshairs and put the groups under too much pressure to continue normal operations.
The vacuum left by the absence of these two major gangs has seemingly been filled, at least in part, by BlackMatter.
BlackMatter’s operatives are native to Russia, and their coding is done in the Russian language.
While the operators of DarkMatter state that they are not members of either DarkSide or REvil, they say that they have close associations with the two gangs, hence the similarities in their ransomware’s appearance, coding, and effectiveness.
Cybersecurity experts agree with BlackMatter’s claims that they are not merely a rebranding of DarkSide but a new gang offering ransomware as a service.
What is ransomware as a service?
DarkSide and REvil were notorious providers of ransomware as a service (RaaS).
RaaS providers are made up of developers who create and maintain the malware as well as any affiliated payment sites. They sell their services to hackers, typically those who they determine will make the best use of their ransomware.
BlackMatter claims that its ransomware provides the best features offered by both of the previous gangs.
What has BlackMatter done so far?
BlackMatter is new to the scene. While their track record is minimal at the moment, it shows a level of sophistication and ambition that supports the claims they have made regarding their pedigree.
However, it would appear that BlackMatter has learned a thing or two about the risks involved in attacking highly capable victims, or those that would generate public sympathy.
According to their website, the group will not attack the following industries and organizations:
- Hospitals or healthcare providers
- Critical infrastructure, such as pipelines or water treatment facilities
- Oil and gas providers
- Companies associated with the defense industry
- Non-profit organizations
- Government organizations
While it is tempting to attribute some of these forbidden victims to a moral code, it is more likely that BlackMatter is looking to maintain its existence by attacking companies that will not be as quick to warrant the attention of federal investigators. The gang’s official statement even goes on to say that if a company that falls under any of these descriptions is hit with their malware, they can reach out to receive a free decryption key.
BlackMatter does not operate under a political or “hacktivist” agenda like Anonymous. The gang is very open about their goals, stating that their only collective interest is “money.”
Thus far, BlackMatter has attacked:
Olympus, a company known for building cameras as well as providing optical solutions for a wide range of industries.
New Cooperative, a grain supplying collective based out of Iowa. This attack has led to an interesting exchange in which BlackMatter was compelled to define its own definition of what “critical infrastructure” means in order to defend itself against the Biden administration’s listing of “food and agriculture” as a sector that would, if attacked, generate federal intervention.
Marketron, a provider of management tools for the radio and broadcasting industry.
What is being done about BlackMatter?
Because BlackMatter is so new, at the time of this writing there is little information about what exactly the authorities are doing with regard to the gang. BlackMatter, like DarkSide and REvil, will likely find itself under pressure from both federal agencies as well as private cybersecurity firms.
It is safe to assume that the arrogance that BlackMatter has displayed, in spite of their supposed code of ethics and their willingness to debate them, will work against them as their branding will make hacking incidents easy to link to the group.
As powerful nations join forces and share intelligence related to hacker groups based out of China and Russia alike, one would hope that the swift squashing of BlackMatter will not only result in confidence in the alliance’s effectiveness but also serve as a lesson for future ransomware gangs who wish to fill the void left by DarkSide and REvil.
Time will tell if BlackMatter’s rise from the ashes results in a quick defeat or if the gang becomes a persistent thorn in the side of the world’s federal governments as they attempt to assert dominance over challenging, sophisticated technological opponents.
Keep ransomware opportunists at bay by following these steps at home as well as in the office:
- Create strong passwords. Be sure to use strong login credentials. Change your passwords frequently.
- Delete your cookies. Cookies are pieces of information that websites use to keep track of you. This data can potentially be used by hackers for nefarious purposes. Clear the cookies saved in your browser once every couple of weeks.
- Swap out your old hardware. Replace outdated hardware with refurbished firewalls or network switches from a reputable dealer.
- Hide your activity with a VPN. Using a VPN is a great way to keep your network hidden from hackers. Needless to say, multi factor identification can make the difference between safety and stolen data.
- Who Is BlackMatter? by Kelly Sheridan, 22 Sep 2021, DarkReading
- BlackMatter ransomware emerges from the shadow of DarkSide by Mark Loman, 9 Aug 2021, Sophos News
- BlackMatter rises from the ashes of notorious cybercrime gangs by Graham Cluley, 29 Jul 2021, Tripwire
- Olympus becomes victim of cyberattack following BlackMatter ransomware hit by Hannah Rooke, 27 Sep 2021, Digital Camera World
Marketron Hit With Cyberattack 20 Sep 2021, Radio Ink