DarkSide ransomware gang is back as BlackMatter operation

The notorious DarkSide ransomware gang has been relaunched as a new BlackMatter ransomware operation, according to encryption algorithms discovered in a decryptor, and is aggressively attacking corporate organizations.


International law enforcement and the US government have increased their investigation of the DarkSide ransomware gang for their role in the attack on the Colonial Pipeline, the country’s largest fuel pipeline.


After losing access to its servers in May, the DarkSide ransomware operation abruptly shut down, and cryptocurrency was taken by an unknown third-party.


The FBI later revealed that 63.7 Bitcoins of the approximately 75 Bitcoin ($4 million) ransom payment made by Colonial Pipeline were recovered by the FBI.


BlackMatter, a new ransomware operation that is actively targeting victims and acquiring network access from other threat actors to launch new attacks, was discovered this week.


Multiple attacks were carried out by the BlackMatter gang, who sought a ransom of $3 to $4 million.


One victim has already paid BlackMatter a $4 million ransom to have stolen data erased and a Windows and Linux ESXi decryptor sent to them.



BlackMatter ransom note




BleepingComputer discovered a decryptor from a BlackMatter victim and shared it with Emsisoft CTO and ransomware expert Fabian Wosar.


Wosar confirmed that the new ransomware gang is employing the same unique encryption methods used by DarkSide in their attacks after reviewing the decryptor.





This ransomware gang uses the same encryption techniques as DarkSide, including a custom Salsa20 matrix that is unique to DarkSide.


According to Fabian, the Salsa20 implementation was formerly used only by DarkSide and is now being used by BlackMatter.


DarkSide’s encryptor also used a custom RSA-1024 implementation, which BlackMatter also uses.


Although there is no 100% confirmation that the ransomware group is a rebranding of the DarkSide operation, there are many similarities that make it difficult to assume otherwise.


The usage of comparable encryption algorithms, rhetoric on BlackMatter sites, a desire for media attention, and color schemes for their TOR sites all point to BlackMatter being the new DarkSide.



You might also like:

Darkside ransomware gang operations and servers shut down: Reports

U.S. recovers 63.7 of 75 bitcoins ransom paid to Colonial Pipeline hackers

Haron and BlackMatter ransomware groups appeared on hacker forum