BlackMatter, a new ransomware-as-a-service affiliate program which describes itself as incorporating “the best features of DarkSide, REvil, and LockBit”, has launched with promises that it will not target non-profits, healthcare, defence, government, utilities or oil and gas.
In addition to its ‘good guy’ image, BlackMatter’s ‘about us’ page wouldn’t be too out of place in the private sector. They describe themselves as providing “the best service for our clients and partners compared to our competitors”, relying on “honesty and transparency”, and claim that “we never attack the company twice and always fulfil our obligations”.
The group was founded in July 2021, and is currently advertising for initial access brokers who can provide them with a way into organisations outside the above-listed sectors, with annual revenue of $100 million or more and with 500-15,000 hosts in their network.
BlackMatter is offering to pay $3,000-$100,000 price range for network access, as well as a share from the potential ransom amount, and has a deposit of 4 bitcoins ($110,000) in an escrow account on the forum Exploit.
So far, no attacks by BlackMatter have been made public, though a representative for the group claimed in an interview with experts from Recorded Future that over the last six months they have attacked a number of companies who are now in communication with them. According to BleepingComputer, at least one victim has already paid out $4 million.
The public sector has always been a big target for ransomware. Companies in the sector tend to have a limited IT budget and often a complicated process to go through in order to approve spend and policy changes. And with the public depending on them for the provision of services, and political repercussions making PR issues a nightmare, they have a huge incentive to pay out and even to try to sweep breaches under the carpet.
Over the past year or so, a significant number of high-profile cyberattacks on critical national infrastructure in particular have made front-page news – but these, it seems, were finally a step too far.
On top of domestic measures to improve cybersecurity, particularly in critical national infrastructure, US President Joe Biden has taken a firm stance against cybercrime in the past few months, telling Russian President Vladimir Putin that the US would take “any necessary action” to prevent cyberattacks.
In June, Biden warned Putin that certain critical infrastructure should be considered “off-limits” for cyberattacks, and after a call early in July, he told the media: “I made it very clear to [Putin] that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.”
Later that month, he warned that “iIf we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach”.
Not all commentators are convinced that these warnings will be heeded – but prolific ransomware groups such as DarkSide and REvil, to whom attacks such as those on Colonial Pipeline and Kaseya were attributed, have disappeared from the scene, and the US Department of Justice announced in June that it had recovered $2.3 million of the $4.4 million worth of Bitcoin paid in ransom to DarkSide by Colonial Pipeline.
BlackMatter’s commitment to avoid certain sectors, and to provide free decryption for any victims in those sectors, is likely not a moral position (the team claims to have “one common interest – money”) but an attempt to avoid retribution from either the US or Russian authorities.
Superficially, Biden’s warnings and action taken by the authorities appear to have had an impact. Popular hacking forum XSS banned ads for ransomware-as-a-service, and after DarkSide announced their shutdown both REvil and Avaddon promised not to attack sectors such as government, healthcare and education before shutting down themselves.
However, many commentators think it’s too soon to celebrate.
DarkSide’s shutdown was suggested by many at the time to be an exit scam rather than a true defeat, with the gang planning to lay low and rebrand in order to escape the spotlight and to avoid having to pay its affiliates their share of what remained of the Colonial Pipeline ransom. Likewise, shutdown announcements from REvil, Avaddon and Babuk were met with suspicion, and many commentators pointed out that even if the groups did not re-emerge as identical operations with new names, affiliates would simply jump to a different operation rather than hanging up their hats for good.
It has been speculated that BlackMatter itself is simply a rebrand of DarkSide, based on BlackMatter’s encryption methods, writing mannerisms and colour scheme, as well as a seeming association with at least one actor affiliated with DarkSide. A BlackMatter representative told Recorded Future that they had worked with DarkSide in the past and were “fans of dark mode in design”, but denied the assertion that they were the same group.
Speaking in Russian to Recorded Future, a BlackMatter representative said that while fear of US retribution was to blame for the disappearance of groups such as DarkSide, REvil, Avaddon and BABUK, BlackMatter isn’t worried.
“We are monitoring the political situation, as well as receiving information from other sources,” the representative said. “When designing our infrastructure, we took into account all these factors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long? Time will tell.”