Inactive ransomware operator
← All groupsBlackmatter
aka Darkside · 32 victims indexed · first seen 5 years ago · last activity 5 years ago
32
Victims indexed
#135 of 348 tracked operators
2m
Active period
Sep 2021 → Nov 2021
3
Countries hit
top Germany · 3
At a glance
- Status
- inactive
- Aliases
- Darkside
- First seen
- 5 years ago
- Last activity
- 5 years ago
- Onion sites
- 2 known endpoints
- Primary sector
- Finance · 3 hits
About
BlackMatter is a financially motivated ransomware-as-a-service operation that emerged in July 2021, positioning itself as a successor to the defunct DarkSide and REvil ransomware groups. The group is believed to operate from Russia or former Soviet states, recruiting Russian-speaking affiliates through underground forums and operating under the RaaS model where core developers provide ransomware tools to affiliate operators in exchange for a percentage of ransom payments. BlackMatter employs sophisticated attack methodologies including initial access through compromised VPN credentials, phishing campaigns, and exploitation of known vulnerabilities, followed by deployment of custom tools for lateral movement and credential harvesting before deploying their ransomware payload that uses a combination of RSA and Salsa20 encryption algorithms, while also implementing double extortion tactics by exfiltrating sensitive data prior to encryption and threatening public release if ransom demands are not met. Notable campaigns include attacks against critical infrastructure sectors particularly targeting agricultural cooperatives, technology companies, and financial institutions across the United States, Germany, and the United Kingdom, with ransom demands reportedly ranging from hundreds of thousands to millions of dollars. The group announced their dissolution in November 2021, claiming to cease operations due to pressure from law enforcement and government agencies, though security researchers believe the core operators likely transitioned to other ransomware variants or rebranded under different names.
References
184 linksExternal sources curated by the MISP threat-intel community.
- digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
- wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/
- darksidedxcftmqa.onion.foundation/
- tripwire.com/state-of-security/featured/blackmatter-pose-new-ransomware-threat
- venturebeat.com/2021/08/23/sophoslabs-research-shows-blackmatter-ransomware-is-closely-acquainted-with-darkside
- blog.group-ib.com/blackmatter#
- blog.group-ib.com/blackmatter2
- blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
- blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
- blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html
- medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
- medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d
- medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
- news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
- symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf
- thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html
- therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/
- twitter.com/GelosSnake/status/1451465959894667275
- twitter.com/VK_Intel/status/1423188690126266370
- umbrella.cisco.com/blog/cybersecurity-threat-spotlight-blackmatter-lockbit-thor
Timeline
3 months2021-09-01T00:00:00+00:002021-11-01T00:00:00+00:00
Top countries
🇩🇪 Germany
3
🇬🇧 United Kingdom
1
🇺🇸 United States
1
Top sectors
Finance
3
Food & Agriculture
1
Information Technology
1
Telecommunications
1
MITRE ATT&CK
12 techniques · 9 tacticsTactics
Initial AccessExecutionPrivilege EscalationDefense EvasionDiscoveryLateral MovementCollectionExfiltrationImpact
Techniques
- T1566Phishing
- T1190Exploit Public-Facing Application
- T1059Command and Scripting Interpreter
- T1055Process Injection
- T1548Abuse Elevation Control Mechanism
- T1562Impair Defenses
- T1083File and Directory Discovery
- T1018Remote System Discovery
- T1021Remote Services
- T1560Archive Collected Data
- T1041Exfiltration Over C2 Channel
- T1486Data Encrypted for Impact
Detection · YARA rules
2 rulesRANSOM_Darkside
YARA rule from ATR/Trellix: ransomware/RANSOM_Darkside.yar
source: ATR/Trellix
RANSOM_Darkside_DLL_May2021
YARA rule from ATR/Trellix: ransomware/RANSOM_Darkside.yar
source: ATR/Trellix
Recent victims
Loading…
Onion infrastructure
2 known- http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion
- http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/
Source
Updated 5 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.