The BlackMatter gang wants to take the place left by Darkside and REvil, who disappeared after entering the sights of the American authorities. Ambitious, the new organization wants to attack only big companies. But she is aware that she will have to sort through her targets to avoid the same fate as her predecessors.
The ransomware industry – malware that blocks victims’ computer networks and demands ransom – has lost two of its figures in quick succession. Darkside went out of business in May, then REvil took early retirement in July. What do they have in common? Both gangs have drawn the attention of US authorities after massive cyber attacks.
Darkside hit the operator of the Colonial Pipeline, thus crippling the supply of refined oil to the east coast for a few days. REvil, meanwhile, hit the US division of food giant JBS and threatened domestic meat production.
However, since the arrival of the Biden administration earlier this year, the US government has taken a much more aggressive stance on ransomware than in the past. The White House and President Joe Biden himself have not hesitated to confront Russia over its laissez-faire vis-à-vis the ransomware operators in both cases. A collaboration between the two countries on the subject is also in advanced discussion, and this sword of Damocles would have been enough to throw in the towel for the two gangs.
But in the cybercriminal world, one person’s bad business is another’s good business. At the end of July, a new gang posted a recruitment ad on two forums that were heavily followed by cybercriminals – but without using the term “ransom”, banned for security since the recent mayhem. “BlackMatter” presents itself as better than all the others, and would only target the biggest companies. His idea, developed in an interview with one of its representatives by The Record Media: hack a small number of very large targets, rather than a large number of small targets.
A gang dedicated to big fish fishing
BlackMatter says it can encrypt systems faster than any of its competitors, and that it has made the best of the two missing gangs. It is thus presented as easier to use, more secure and more adaptable to each type of network. The structure of his tool is so close to that of Darkside that several researchers have speculated that it was his successor. But the group explains that it does not have the same operators as Darkside, it would have simply worked with them.
” We are a team that brings people together around a common interest: money “, He simply sums up on his site. Precisely, money, its creators want a lot. To achieve this, they seek access to networks of companies that have a turnover of more than 100 million dollars per year. And they are prepared to pay up to $ 100,000 to obtain exclusivity on this access, which would allow them to deploy their ransomware and hope to make the victim pay.
Ransoms demanded: over $ 4 million
Like all gangs, BlackMatter also has a blog where he threatens to post the data of victims who do not pay the ransom. This double extortion technique has become the norm for almost two years. The site is currently empty, a sign that all the victims of BlackMatter have so far yielded to the payment of the ransom, yet almost systematically advised against by specialists. According to the BleepingComputer, the gang has already obtained at least a payment of 4 million dollars.
Efficient, BlackMatter is aware that he will have to do everything to avoid the fate of these predecessors. This is why it clearly displays on its site the list of sectors it will not target: hospitals, critical infrastructures (nuclear, electricity, water treatment plants, etc.), the oil and gas industry, defense industry, nonprofit companies, and government. If by mistake, he touches a company in these sectors, he undertakes to repair the damage free of charge.
But BlackMatter is far from the first to make those kinds of promises, and they’ve been broken many times in the past by other gangs, including Darkside. Except this time, sorting out victims could be a matter of survival for the group. ” The distinction between the industries displayed on the blog and the forum is above all marketing. », Concedes a representative to The Record. In fact, sorting is purely pragmatic: “ we check each target and decide if it can have potentially negative consequences for us. “
In short, the new gang has all the tools to take the places left by Darkside and Revil, among the most lucrative operators. On condition of avoiding the wrath of the authorities. ” When we created our infrastructure, we took all of these factors into account, and we can say that we can withstand the cyber-offensive capabilities of the United States. “, Advances the spokesperson for BlackMatter, before specifying:” For how long ? We will see. “