Encryption algorithms found in a decryptor show that the notorious DarkSide ransomware band has been rebranded as a new BlackMatter ransomware operation and is actively conducting attacks against corporate entities.
After carrying out an attack on Colonial Pipeline, the largest fuel pipeline in the US, and causing fuel shortages in the southeastern US, the DarkSide ransomware group faced increased scrutiny from from the international police and the US government.
In May, the DarkSide ransomware operation was suddenly shut down after losing access to its servers and the cryptocurrency was seized by an unknown third party.
It later emerged that the FBI recovered 63.7 Bitcoins from the ransom payment of approximately 75 Bitcoin ($ 4 million) made by Colonial Pipeline.
This week, a new ransomware operation known as BlackMatter emerged that actively targets victims and buys network access from other threat actors to launch new attacks.
BlackMatter data leak site
BleepingComputer is aware of a victim who paid BlackMatter $ 4 million this week to remove any stolen data and provide Windows and Linux ESXi decryptors.
While researching the new ransomware group, Bleeping Computer found a decryptor from a BlackMatter victim and shared it with Emisosft CTO and ransomware expert. Fabian Wosar.
After analyzing the decryptor, Wosar confirmed that the new BlackMatter group is using the same unique encryption methods that DarkSide had used in their attacks.
After looking through a leaked BlackMatter decryption binary, I am convinced that we are dealing with a rebrand of Darkside here. The crypto routines are an exact copy of your RSA and Salsa20 implementation, including the use of a custom array.
– Fabian Wosar (@fwosar) July 31, 2021
Wosar told Bleeping Computer that the encryption routines used by BlackMatter are pretty much the same, including a custom Salsa20 matrix exclusive to DarkSide.
When encrypting data with the Salsa20 encryption algorithm, a developer provides an initial array consisting of sixteen 32-bit words.
When encrypting files, Fabian told the Bleeping Computer that instead of using constant strings, a position, a value, and a key, for each encrypted file, DarkSide fills the words with random data.
This array is then encrypted with a public RSA key and stored in the footer of the encrypted file.
Fabian says that this Salsa20 implementation was previously only used by DarkSide, and now by BlackMatter.
BleepingComputer was also told that DarkSide used a unique RSA-1024 implementation for its encryptor, which BlackMatter also uses.
While there is not 100% proof that BlackMatter is a rebranding of the DarkSide operation, many similar features make it hard to believe that this is not the case.
When we take the same encryption algorithms, the similar language used on BlackMatter sites, the similar desire for media attention, and the similar color themes for their TOR sites, it is very much like BlackMatter is the new DarkSide.
A rebrand of DarkSide also explains why the new BlackMatter group will not target the “oil and gas industry (pipelines, oil refineries)”, causing its previous downfall.
Unfortunately, this is a highly skilled group that focuses on multiple device architectures, including Windows, Linux, and ESXi servers.
Because of this, we will have to keep an eye out for this new group, as they will surely carry out attacks against known targets in the future.