BlackMatter - A Possible Successor to Darkside and REvil

REvil, also known as Sodinokibi, has been active since April of 2019, however, it is believed the group has been active much longer since it is a believe they are a rebranding of the hacker gang, GrandCrab, who is a group that appeared in 2018 and disappeared in May of 2019 after earning over $2 billion USD. The REvil group has been more audacious in choosing their victims. Some of their most notable victims include, the multinational hardware and electronics corporation Acer, Quanta Computers who is a supplier for Apple, one of biggest meat processing companies JBS, Kaseya who is an Manage Service Provider (MSP) for a plethora of companies, and HX5 a Florida based space and weapon-launch technology contractor, which counts the Army, Navy, Air Force, and NASA among its clients. A few days after the Kaseya and HX5 hack, REvil’s Happy Blog (shame blog) went offline.

While these two groups acted separately, it is strongly believed that Darkside is a spinoff of REvil. The ransomware code used by Darkside resembled the code used by REvil, and REvil’s code is not publicly available. They both used similarly structured ransom notes and the same code to check that the victim is not located in Russia or any other former Soviet Union countries. After their sudden disappearance a new ransomware group, calling themselves BlackMatter, surfaced.

BlackMatter first made their existence known on the DarkWeb. They proclaim themselves as successors to Darkside and REvil and claim that they have incorporated the best aspects of Darkside, REvil, and LockBit into their ransomware. Premium user “Inc” created a thread about an interview with a representative from the BlackMatter ransomware gang.

According to the representative of BlackMatter, they are not DarkSide rebranded. The group had admired the work of its colleagues from DarkSide and is familiar with it firsthand as they used to work together. However, according to the representative “But we are not them, although their ideas are close to us.” The BlackMatter spokesperson also mentions about the recent departures of major ransomware player such as REvil, Darkside, Avaddon, and Babk is largely due to the geopolitical situation in the world and the fear of the United State’s intention to conduct offensive cyber operations. However, BlackMatter boldly announced that they do not fear the the United States. “We designed our infrastructure with all these factors in and we can confidently say we are able to withstand the offensive capabilities of the United States.”