According to cyber intelligence professionals, a new cybercriminal organization, BlackMatter, has become a potential successor to ransomware groups that are responsible for major attacks on U.S. critical infrastructure.
Network intelligence company Recorded Future stated that the BlackMatter organization has integrated the functions of the ransomware groups REvil and DarkSide.
Earlier this month, the REvil group was in trouble after attacking the software company Kaseya and its customers, while the DarkSide group was attacking the main American Fuel supplier Colonial pipeline in May.
According to Recorded Future, BlackMatter has promised not to hit certain industries, including critical infrastructure, defense, healthcare, oil and gas, and government. But BlackMatter’s goal is companies and entities with revenues of more than $100 million.
“BlackMatter is a member of the top forum Exploit, and may be the operator of BlackMatter ransomware, and is currently advertising for the purchase of corporate network access rights in the United States, Canada, Australia, and the United Kingdom,” Recorded Future’s Insikt Group wrote.the company’s website.
Risk intelligence company Flashpoint also labeled BlackMatter as a “possible rebranding” of REvil and DarkSide, but was more cautious in asserting BlackMatter’s links with other ransomware groups.
About a week after REvil appeared to be shutting down, Flashpoint stated that it observed that BlackMatter registered on an illegal Russian website and deposited six-figure cryptocurrency into an escrow account. Flashpoint also pointed out that the REvil spokesperson and BlackMatter seem to have a common understanding of acceptable goals.
“Although this information may not be conclusive evidence, it may indicate that REvil was not completely offline, but was temporarily suspended after some noticeable violations,” Flashpoint wrote on its website. website“It is also important to note that two posts and a large escrow account do not constitute a ransomware group. The imitators may deliberately imitate REvil’s behavior in order to gain immediate credibility and call it the reincarnation of REvil.”
BlackMatter is not the only cybercriminal entity connected to REvil and DarkSide. These cybercriminal entities emerged after the digital presence of these gangs disappeared. Last month, the network security company FireEye said it had detected a DarkSide affiliate for users of closed-circuit television software.
Tracking cyber attackers and ransomware groups is complicated. The FBI previously told the Washington Times that it is tracking about a hundred different ransomware variants, which are responsible for dozens to hundreds of attacks.
Bryan Vorndran, assistant director of the FBI’s cyber department, told the Senate Judiciary Committee this week that the federal government has established an algorithm to track the most serious ransomware attackers.
“We have a complete inter-agency algorithm, basically from 1 to 101, prioritizing the degree of impact of each variant on the United States, its economy, and various other stocks,” Mr. Vorndran said. “The biggest one we know, we estimate that their revenue from the attack is more than $200 million, providing you with a range of value propositions.”