BlackMatter, a new ransomware group with alleged connections to DarkSide and REvil, appears to be demanding strict requirements of independent access broker partners so they could filter out monitoring from threat researchers.
Kimberly Goody, director of financial crime analysis at Mandiant Threat Intelligence, said examples of these requirements include the following: having an older profile on the forum with a minimum number of posts, providing proof of previous work with another ransomware, or providing confirmation of accesses to at least two large companies with revenues over $100 million.
“We have seen some indication that currently suggests that at least one actor connected to some DarkSide ransomware operations is aligning themselves with BlackMatter,” Goody said. “This isn’t necessarily surprising as we commonly see ransomware affiliates partnering with multiple providers..
However, Goody pointed out that BlackMatter appears to be partnering with threat actors who can provide initial access to victim organizations. “They have implemented requirements for these partners, likely to filter out security researchers and law enforcement, especially now given the significant media attention,” Goody said.
The story made news and sparked interest in the mainstream press mainly because REvil went dark after the JBS and Kaseya attacks, and DarkSide left the scene after the Colonia Pipeline attack. Speculation that the Biden administration pressured Vladimir Putin to take down the ransomware gangs is as yet unproven, but cause for the intense interest.
Researchers from Flashpoint also recently posted a blog showing potential connections between DarkSide and REvil and the new BlackMatter group, but the attempt to keep off the trail from security researchers proved to be the most significant, said, Dirk Schrader, global vice president, security research at New Net Technologies, now a part of Netwrix.
“BlackMatter has two motives,” said Schrader. “First, they aim to use their technology as long as possible without being reverse-engineered. Second, they want to hide as long as possible from law enforcement. Both motives are likely driven by recent successes by joint forces of researchers and law enforcement in tackling ransomware groups.”