BlackMatter ransomware Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 12 Jan 2022 07:54:28 +0000 en-US hourly 1 https://wordpress.org/?v=73898 200474804 US authorities offer $10 million for information on DarkSide operators https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/ https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/#respond Mon, 08 Nov 2021 21:21:27 +0000 https://blog.gridinsoft.com/?p=6093 The US government has offered a $10,000,000 reward for any information that could lead to the identification or arrest of members and operators of the DarkSide hack group. It is emphasized that this reward can be obtained for any information about the heads of the Darkside, who occupy key positions in the faction. If the… Continue reading US authorities offer $10 million for information on DarkSide operators

The post US authorities offer $10 million for information on DarkSide operators appeared first on Gridinsoft Blog.

]]>
The US government has offered a $10,000,000 reward for any information that could lead to the identification or arrest of members and operators of the DarkSide hack group.

It is emphasized that this reward can be obtained for any information about the heads of the Darkside, who occupy key positions in the faction. If the informant provides information that will lead to the arrest of DarkSide partners (in any country) who help hackers to carry out attacks, this information can get up to $5,000,000.

information about DarkSide operators

The US authorities said they are offering such a large reward due to an attack on the largest pipeline operator in the United States, the fuel transportation company Colonial Pipeline. Let me remind you that we talked about this attack in detail, because it was this incident that forced the authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware.

In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware.message from the government indicated.

After the attack on the Colonial Pipeline company, which drew too much attention from the authorities to the hackers, DarkSide ceased its activities, claiming that it had lost access to some of its accounts and servers. However, experts soon reported that the new BlackMatter ransomware could be considered the “successor” of the DarkSide malware, and the group clearly simply carried out a “rebranding”.

However, we also wrote that after REvil shut down, members of the hack group DarkSide hastily moved $7 million.

The aforementioned BlackMatter also stopped working last week, citing pressure from local authorities and some recent news. Representatives of the group did not explain exactly what news were discussed, but the statement came after a series of major arrests in recent weeks.

The post US authorities offer $10 million for information on DarkSide operators appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/feed/ 0 6093
Operators of the BlackMatter ransomware announced the termination of activity https://gridinsoft.com/blogs/termination-of-blackmatter-ransomware/ https://gridinsoft.com/blogs/termination-of-blackmatter-ransomware/#respond Thu, 04 Nov 2021 16:47:45 +0000 https://blog.gridinsoft.com/?p=6081 The hackers behind the BlackMatter ransomware the termination of activity experiencing pressure from local authorities. The group announced it was “shutting down” on November 1, 2021, in the backend part of its darknet site, which is usually used by attackers’ partners. Representatives of the group did not explain what kind of pressure they are talking… Continue reading Operators of the BlackMatter ransomware announced the termination of activity

The post Operators of the BlackMatter ransomware announced the termination of activity appeared first on Gridinsoft Blog.

]]>
The hackers behind the BlackMatter ransomware the termination of activity experiencing pressure from local authorities.

The group announced it was “shutting down” on November 1, 2021, in the backend part of its darknet site, which is usually used by attackers’ partners.

BlackMatter ransomware group has announced they’re shutting down operations following pressure from local authorities – they state key members are no longer ‘available’Twitter account @vxunderground reported.

Representatives of the group did not explain what kind of pressure they are talking about, but this statement was published after a number of major events that have occurred in recent weeks.

First, Microsoft and Gemini Advisory recently linked the FIN7 criminal group (believed to be the developer of the DarkSide and BlackMatter malware) with the fake information security company Bastion Secure, which was looking for and hiring researchers.

Secondly, last week it was revealed that Emsisoft secretly created a decryptor for BlackMatter, which was provided victims so that they did not pay ransoms, and this considerably declined hackers’ profits.

Third, the New York Times reported over the weekend that Russia and the United States have begun closer cooperation to combat Russian-based cybercriminals and extortion groups. Let me remind you that FIN7 is a Russian-speaking group, and it is believed that it operates from Russia.

Fourth, the REvil ransomware recently shut down (for the second time this year), which, according to media reports, has been taken seriously by law enforcement agencies.

Fifth, what is happening may be associated with a large-scale operation by law enforcement agencies, during which 12 people responsible for 1,800 extortion attacks were recently detained.

It is also worth remembering that this is not the first time that hackers have stopped their activities. For example, the BlackMatter ransomware is considered the “successor” of the DarkSide malware, which stopped working in May of this year after the scandalous attack on the Colonial Pipeline company, which drew too close attention of the authorities to hackers.

On Twitter, the founder of the well-known information security conferences Black Hat and DEF CON, Jeff Moss, notes that ransomware is half a political issue, and law enforcement agencies usually know the identities of most of the malware operators, but they cannot pursue these hack groups from due to Russia’s unwillingness to cooperate.

Suggests the authorities have known all along and only once the pressure increased did they act. It’s examples like that that convinced me that ransomware is at least 50% a political problem.Jeff Moss writes.

According to BlackMatter, it can be assumed that the situation has changed, although many cybersecurity experts already predict a new “rebranding” of the group and its early return.

The post Operators of the BlackMatter ransomware announced the termination of activity appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/termination-of-blackmatter-ransomware/feed/ 0 6081
BlackMatter ransomware attacked American farmers from NEW Cooperative https://gridinsoft.com/blogs/blackmatter-attacked-new-cooperative/ https://gridinsoft.com/blogs/blackmatter-attacked-new-cooperative/#respond Tue, 21 Sep 2021 21:48:05 +0000 https://blog.gridinsoft.com/?p=5944 The BlackMatter ransomware attacked the American farmers organization NEW Cooperative, which produces feed and grain, as well as works in the fields of agronomy, energy and software for farmers. The hackers demanded $5.9 million for the decryptor, and said the amount would rise to $ 11.8 million if the ransom was not paid within five… Continue reading BlackMatter ransomware attacked American farmers from NEW Cooperative

The post BlackMatter ransomware attacked American farmers from NEW Cooperative appeared first on Gridinsoft Blog.

]]>
The BlackMatter ransomware attacked the American farmers organization NEW Cooperative, which produces feed and grain, as well as works in the fields of agronomy, energy and software for farmers.

The hackers demanded $5.9 million for the decryptor, and said the amount would rise to $ 11.8 million if the ransom was not paid within five days. Also, in case of non-payment, the attackers threaten to disclose the data stolen from the victims (more than 1000 GB were allegedly stolen).

BlackMatter attacked NEW Cooperative

Bleeping Computer reports that NEW Cooperative representatives have already confirmed the attack and said they have shut down their systems so far to contain the spread of the attack. Currently, the threat has been “successfully localized”, and NEW Cooperative is working to investigate the situation together with law enforcement agencies and information security experts.

Based on the group’s website, the attackers claim to have stolen the source code of the soilmap.com project, research and development results, confidential employee information, financial documents, and the KeePass password manager database.

Interestingly, judging by the screenshots of NEW Cooperative correspondence and ransomware posted on Twitter, the victims asked the hackers why they were attacked at all, because NEW Cooperative is considered part of a critical infrastructure, and the attack could lead to disruptions in the supply of grain, pork and chicken.

It is worth recalling that in the summer this year, the DarkSide ransomware attacked the largest US pipeline operator, the Colonial Pipeline, engaged in the transportation of fuel. A result of this attack, due to which an emergency regime was introduced in a number of states, became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and hacker forums were rushed to ban advertising of ransomware. Since then, many ransomware have strictly prohibited their “partners” from attacking critical infrastructure, medical facilities, governments of several countries, and so on.

And while BlackMatter has similar bans, the attackers responded that NEW Cooperative “does not fall under these rules,” and threatened to double the ransom if the company did not change its approach to negotiations.

I am not threatening you. It is simply beyond our power. We cannot control the actions of regulators and the US government. The consequences of this attack are likely to be much worse than the attack on the pipeline, and we have no control over this given that [the attack] has already led to disruptions. I’m just saying so you don’t seem surprised because you don’t seem to understand who we are and what role our company plays in the food supply chain.a spokesman for NEW Cooperative wrote to hackers.

The BlackMatter representative answered this very succinctly:

Nobody will give you a decoder for free, look for money.

It should also be said that many information security specialists believe that BlackMatter is a revived DarkSide, that is, a ransomware created by the same authors. Because of this, the cybersecurity community now jokes that by attacking NEW Cooperative, DarkSide operators again made the wrong choice.

The post BlackMatter ransomware attacked American farmers from NEW Cooperative appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackmatter-attacked-new-cooperative/feed/ 0 5944
The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide https://gridinsoft.com/blogs/new-blackmatter-ransomware/ https://gridinsoft.com/blogs/new-blackmatter-ransomware/#respond Wed, 04 Aug 2021 16:50:47 +0000 https://blog.gridinsoft.com/?p=5779 Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil. In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial… Continue reading The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide

The post The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide appeared first on Gridinsoft Blog.

]]>
Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil.

In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial Pipeline company, which attracted too close attention of the authorities to hackers.

Several companies have already suffered from BlackMatter, and hackers demanded a ransom from them in the amount of $ 3 to 4 million, Bleeping Computer now reports. One victim has already paid the cybercriminals $ 4 million and received an ESXi decryptor for Windows and Linux from them.

New BlackMatter ransomware

The journalists showed this tool to the information security expert and the technical director of the Emisosft company Fabian Vosar. He confirmed that BlackMatter uses the same unique encryption methods that the DarkSide group used in their attacks (including the special Salsa20 matrix, unique to this group).

The publication also notes that if BlackMatter is just a “rebranding” of DarkSide, this explains some of the limitations listed on the hackers’ site. So, among other things, the group reports that it is not going to attack “the oil and gas industry (pipelines, oil refineries).” Let me remind you that it was the attack on the operator of the Colonial Pipeline that led to the “closure” of DarkSide.

Meanwhile, at the beginning of this week, an expert analyst of Recorded Future, interviewed a representative of the new extortionist group. BlackMatter denies being involved with DarkSide; instead, the hackers say they were only inspired by “the work of colleagues.”

Darkside is relatively new software with a good codebase (partly problematic, but the ideas themselves deserve attention) and an interesting web part when compared to other RaaS. [Our] executable file incorporates ideas from LockBit, REvil and partly DarkSide. The web part has incorporated the technical approach of DarkSide, as we consider it the most structurally correct (separate companies for each goal, and so on).the criminals say.

When Smilyanets directly asked if representatives of the group could confirm that their infrastructure is based on DarkSide, they replied:

We can say for sure that we are fans of the dark theme in design and have known the DarkSide team for collaboration in the past, but we are not them, although their ideas are close to us.

The post The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-blackmatter-ransomware/feed/ 0 5779
BlackMatter ransomware attacks companies with revenues above $100 million https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/ https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/#respond Thu, 29 Jul 2021 15:40:54 +0000 https://blog.gridinsoft.com/?p=5756 Recorded Future analysts have discovered a new hack group accompanying the BlackMatter ransomware that attacks large companies and combines the “best” features of the now defunct DarkSide and REvil. Researchers say the group is currently recruiting “partners” through announcements on hacker forums Exploit and XSS. Although any advertising related to ransomware has been banned on… Continue reading BlackMatter ransomware attacks companies with revenues above $100 million

The post BlackMatter ransomware attacks companies with revenues above $100 million appeared first on Gridinsoft Blog.

]]>
Recorded Future analysts have discovered a new hack group accompanying the BlackMatter ransomware that attacks large companies and combines the “best” features of the now defunct DarkSide and REvil.

Researchers say the group is currently recruiting “partners” through announcements on hacker forums Exploit and XSS.

Although any advertising related to ransomware has been banned on these sites since May 2021, BlackMatter members do not advertise Ransomware-as-a-Service (RaaS), but advertisements for finding “initial access brokers”, that is, people who have access to compromised corporate networks.

BlackMatter ransomware attacks

According to the announcement, BlackMatter is only interested in working with brokers who can provide access to the networks of large companies, whose income is $100 million per year or more. Such a network must have between 500 and 15,000 hosts and must be located in the United States, United Kingdom, Canada, or Australia.

Hackers write that they are willing to pay up to $100,000 for exclusive access to any of the suitable networks.

The members of the group boast that they can encrypt data in different versions of operating systems and architectures. Including: Windows (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+, as well as NAS Synology, OpenMediaVault, FreeNAS and TrueNAS.

Like most modern ransomware, the BlackMater group has already launched its own data leak site, where hackers intend to publish information stolen from victims if the hacked company does not agree to pay the ransom for decrypting files. So far, the resource is empty, but BlackMatter announced themselves only this week and have not attacked anyone yet.

The BlackMatter website lists targets that the group is not going to attack (in case of accidental infection, the data of the victims will be decrypted for free). The list includes:

  • hospitals;
  • critical infrastructure facilities (nuclear power plants, power plants, water treatment plants);
  • oil and gas industry (pipelines, oil refineries);
  • defense industry;
  • non-profit organizations;
  • government sector.

Recorded Future analysts believe that the new group may be linked to other notorious ransomware, DarkSide, who ceased operations in May this year after the scandalous attack on the Colonial Pipeline company, which drew too close attention of the authorities to the hackers. However, while the researchers do not make final conclusions and continue to investigate.

The post BlackMatter ransomware attacks companies with revenues above $100 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blackmatter-ransomware-attacks/feed/ 0 5756