Haron and BlackMatter ransomware groups appeared on hacker forum

Two new ransomware-as-a-service (RaaS) programs have emerged on the threat radar this month, one of which claims to be a successor to DarkSide and REvil, the two infamous ransomware organizations that went dark after massive attacks on Colonial Pipeline and Kaseya in recent months, as reported by The Hacker News.


“The project has incorporated the best features of DarkSide, REvil, and LockBit,” the new BlackMatter group’s operators wrote on their darknet public blog, promising not to attack organizations in industries such as healthcare, critical infrastructure, oil and gas, defense, non-profit, and government.



According to Flashpoint, the BlackMatter threat actor registered an account on the Russian-language forums XSS and Exploit on July 19 and quickly followed it up with a post stating that they are looking to purchase access to infected corporate networks containing anywhere between 500 and 15,000 hosts in the United States, Canada, Australia, and the United Kingdom, with annual revenues of over $100 million, potentially hinting at a large-scale ransomware operation.


Flashpoint researchers claim that the threat actors have deposited 4BTC (approximately $150,000 USD) into their escrow account. Large deposits on the forum indicate the seriousness of the threat actor.



BlackMatter ransomware note



As per the report, on July 27, the group is said to have started actively recruiting partners and affiliates using the Exploit forum’s Jabber server, claiming to be looking for experienced penetration testers who are familiar with Windows and Linux systems, as well as initial access suppliers who would either sell their access for a percentage of the profits.


Last month, enterprise security firm Proofpoint revealed how ransomware gangs are increasingly purchasing access from independent cybercriminal groups that infiltrate major targets and then provide them with an entry point to deploy data theft and encryption operations in exchange for a cut of the illicit profits.


“It is possible that copycats are intentionally mimicking the behavior of REvil to gain immediate credibility for allegedly being the reincarnation of REvil,” Flashpoint said.


However, BlackMatter isn’t the only newcomer. Haron, another new member to the cybercrime environment that appeared this month and heavily draws from earlier ransomware variations such as Thanos and the now-discontinued Avaddon, was unveiled last week by South Korean security firm S2W Labs.



You might also like:

REvil ransomware gang’s websites shut down: Report

Kaseya obtained a universal decryptor for REvil ransomware attack

Colonial Pipeline hit by ransomware attack, shuts down operation

Darkside ransomware gang operations and servers shut down: Reports