Researchers Find Strong Indications That DarkSide Ransomware Gang Is Back As BlackMatter

Researchers Find Strong Indications That DarkSide Ransomware Gang Is Back As BlackMatter

Researchers find similarities in encryption algorithms, which makes them believe the DarkSide gang has rebranded as the new BlackMatter gang and is now targeting corporate users.

The DarkSide group attacked the US’s largest fuel pipeline a few months ago and drew increased attention from international law enforcement agencies. The ransomware operation suddenly shut down in May 2018 after losing access to their servers and cryptocurrency was seized by an unknown third party. The FBI later said it managed to recover 63.7 Bitcoins of the ransom payment made by the pipeline company to DarkSide.

This week, a new ransomware gang called BlackMatter emerged, which is now actively attacking victims and buying network access from the so-called initial access brokers.

It is reported that one of the victims has already paid BlackMatter $4 million in ransom money for wiping the stolen data and getting decryptors.

While investigating the new ransomware group, BleepingComputer came across a BlackMatter victim’s decryptor, which was shared with Fabian Wosar, the head of cybersecurity company Emisosft.

After analyzing the encrypted data, Wosar concluded that the new group is using the same encryption methods used by DarkSide. According to Wosar, the encryption routines used by DarkSide and BlackMatter are almost identical, and the new gang uses DarkSide’s custom Salsa20 matrix previously.

When encrypting data using the Salsa20 algorithm, an initial matrix is filled with 16 32-bit words. Fabian explained that instead of using strings, a position, nonce, and key for encrypting all files, DarkSide fills the matrix with random data. This method then encrypts the file with a public RSA key.

Previously, only DarkSide used this implementation, and BlackMatter uses it. It uses an RSA-1024 encryption scheme.

DarkSide only used this implementation, while BlackMatter uses it. In addition, BlackMatter also uses an RSA-1024 implementation, which was unique to DarkSide’s encryptor. While these two features don’t make it 100% certain that BlackMatter is a rebranding of DarkSide, most likely it is, researchers said.

There are many other similarities between the two. BlackMatter’s sites use similar language and the same color themes, both gangs crave media attention, and the names of the two gangs look similar.

Also, there’s a promise that the new BlackMatter group will not target “Oil and Gas industry (pipelines, oil refineries),” which led to the shut-down of DarkSide.

Researchers say this group is very skilled at attacking various device architectures and will likely carry out high-profile attacks in the near future.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.