Skip to main content

Operator dossier

Blackmatter (also tracked as Darkside) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 42 public victims claimed by this operator between August 1, 2020 and November 4, 2021. BlackMatter is a financially motivated ransomware-as-a-service operation that emerged in July 2021, positioning itself as a successor to the defunct DarkSide and REvil ransomware groups. The group is believed to operate from Russia or former Soviet states, recruiting Russian-speaking affiliates through underground forums and operating under the RaaS model where core developers provide ransomware tools to affiliate operators in exchange for a percentage of ransom payments. BlackMatter employs sophisticated attack methodologies including initial access through compromised VPN credentials, phishing campaigns, and exploitation of known vulnerabilities, followed by deployment of custom tools for lateral movement and credential harvesting before deploying their ransomware payload that uses a combination of RSA and Salsa20 encryption algorithms, while also implementing double extortion tactics by exfiltrating sensitive data prior to encryption and threatening public release if ransom demands are not met. Notable campaigns include attacks against critical infrastructure sectors particularly targeting agricultural cooperatives, technology companies, and financial institutions across the United States, Germany, and the United Kingdom, with ransom demands reportedly ranging from hundreds of thousands to millions of dollars. The group announced their dissolution in November 2021, claiming to cease operations due to pressure from law enforcement and government agencies, though security researchers believe the core operators likely transitioned to other ransomware variants or rebranded under different names.

Most-affected countries

Recent disclosures by Blackmatter

All 42 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Blackmatter

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Blackmatter

aka Darkside · 42 victims indexed · first seen 6 years ago · last activity 5 years ago

42
Victims indexed
#118 of 364 tracked operators
1y 3m
Active period
Aug 2020 → Nov 2021
7
Countries hit
top United States · 4

At a glance

Status
inactive
Aliases
Darkside
First seen
6 years ago
Last activity
5 years ago
Onion sites
3 known endpoints
Primary sector
Finance · 3 hits

About

BlackMatter is a financially motivated ransomware-as-a-service operation that emerged in July 2021, positioning itself as a successor to the defunct DarkSide and REvil ransomware groups. The group is believed to operate from Russia or former Soviet states, recruiting Russian-speaking affiliates through underground forums and operating under the RaaS model where core developers provide ransomware tools to affiliate operators in exchange for a percentage of ransom payments. BlackMatter employs sophisticated attack methodologies including initial access through compromised VPN credentials, phishing campaigns, and exploitation of known vulnerabilities, followed by deployment of custom tools for lateral movement and credential harvesting before deploying their ransomware payload that uses a combination of RSA and Salsa20 encryption algorithms, while also implementing double extortion tactics by exfiltrating sensitive data prior to encryption and threatening public release if ransom demands are not met. Notable campaigns include attacks against critical infrastructure sectors particularly targeting agricultural cooperatives, technology companies, and financial institutions across the United States, Germany, and the United Kingdom, with ransom demands reportedly ranging from hundreds of thousands to millions of dollars. The group announced their dissolution in November 2021, claiming to cease operations due to pressure from law enforcement and government agencies, though security researchers believe the core operators likely transitioned to other ransomware variants or rebranded under different names.

References

184 links

External sources curated by the MISP threat-intel community.

Timeline

6 months
2020-08-01T00:00:00+00:00 · 12021-02-01T00:00:00+00:00 · 62021-05-01T00:00:00+00:00 · 32021-09-01T00:00:00+00:00 · 262021-10-01T00:00:00+00:00 · 12021-11-01T00:00:00+00:00 · 5
2020-08-01T00:00:00+00:002021-11-01T00:00:00+00:00

Top countries

🇺🇸 United States
4
🇩🇪 Germany
3
🇬🇧 United Kingdom
2
🇨🇦 Canada
2
🇮🇹 Italy
1
🇹🇭 Thailand
1
🇧🇷 Brazil
1

Top sectors

Finance
3
Commercial Facilities
3
Transportation & Logistics
2
Information Technology
2
Transportation Systems
2
Food & Agriculture
2
Healthcare
1
Energy
1

MITRE ATT&CK

12 techniques · 9 tactics

Tactics

Initial AccessExecutionPrivilege EscalationDefense EvasionDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1055Process Injection
  • T1548Abuse Elevation Control Mechanism
  • T1562Impair Defenses
  • T1083File and Directory Discovery
  • T1018Remote System Discovery
  • T1021Remote Services
  • T1560Archive Collected Data
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Detection · YARA rules

2 rules
  • RANSOM_Darkside

    YARA rule from ATR/Trellix: ransomware/RANSOM_Darkside.yar

    source: ATR/Trellix

  • RANSOM_Darkside_DLL_May2021

    YARA rule from ATR/Trellix: ransomware/RANSOM_Darkside.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

3 known
  • http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion
  • http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/
  • http://darksidc3iux462n6yunevoag52ntvwp6wulaz3zirkmh4cnz6hhj7id.onion

Source

Updated 5 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Blackmatter posts a victim.

Add Blackmatter to your watchlist — Pro pings you within 5 minutes of any new Blackmatter leak-site post, Telegram callout, or affiliate-rebrand inference.