There is no shortage of cybercriminal groups on the dark web. New threat actor groups and ransomware cartels continue to make their presence felt in the threat landscape. Cybersecurity researchers from threat intelligence firm Recorded Future recently spotted a new ransomware group, tracked as BlackMatter, advertising for recruits on two darknet forums, Exploit and XSS. The group reportedly posted ads for hiring “initial access brokers,” individuals with access to compromised enterprise networks.
Researchers stated that the BlackMatter gang is looking for affiliates who can access corporate networks that have 500 to 15,000 hosts. The group is focused on companies having revenue of $100 million per year, with locations in the U.S., the U.K., Canada, and Australia. The ransomware group was allegedly willing to pay up to $100,000 for access to high-profile networks.
“Once the group finds a suitable target, they will use the access granted by the broker to deploy tools that take over a company’s internal systems and then deploy their file-encrypting payload,” the researchers said.
The BlackMatter gang can encrypt different operating systems and architectures, including Windows, Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices like Synology, OpenMediaVault, FreeNAS, and TrueNAS. In addition, the group has a website – Leak Site – on the dark web, which is used to publish victims’ data if they refuse to pay the ransom.
The group stated that they do not aim to attack hospitals, the defense industry, critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities), the oil and gas industry (pipelines, oil refineries), non-profit organizations, and government agencies. They further claimed that if a victim is from the aforementioned sectors, they’ll decrypt their files for free.
While there is no evidence of any attacks from the BlackMatter gang yet, several security experts suspect that the group is a successor of the DarkSide ransomware group. The researchers claim that BlackMatter has capabilities similar to DarkSide, REvil, and LockBit ransomware operators. DarkSide gang recently disrupted the services of Colonial Pipeline in a ransomware attack. The company reportedly paid a $4.4 million ransom to restore its services.