Is BlackMatter the new name for the DarkSide faction?


The cryptographic algorithms used in the tool to decrypt files encrypted by the newly emerging cyber ransomware group BlackMatter indicate that BlackMatter is the same sensational cybercriminal group DarkSide, but with a different name.


After a high-profile cyberattack on the Colonial Pipeline, the largest pipeline operator in the United States, which led to a shortage of gasoline along the entire southeast coast of the country, law enforcement agencies around the world, and especially American ones, began a real hunt for DarkSide. In May of this year, the group suddenly lost access to its servers and cryptocurrency assets, which were seized by unknown persons , and was forced to terminate its operations. As it became known later, the FBI managed to take 63.7 bitcoins from DarkSide out of 75 paid by Colonial Pipeline to ransomware for file recovery.


A new group called BlackMatter entered the cyber ransomware arena this week, announcing on hacker forums that it is ready to pay up to $ 100,000 for access to corporate networks of large companies. At the same time, she is only interested in companies with an annual income of $ 100 million or more.


According to BleepingComputer, BlackMatter already has at least one victim who has paid a $ 4 million ransom for decryptors for their Windows and Linux ESXi devices. The portal managed to obtain this decryptor, which it handed over to information security expert Fabian Wosar for analysis.


According to Vosar, BlackMatter uses the same unique encryption method as DarkSide. The process of data encryption itself (in particular, the use of Salsa20 matrix exclusive to DarkSide) BlackMatter is almost identical to DarkSide.


In the process of encrypting data using the Salsa20 cryptographic algorithm, the developer provides an initial matrix of sixteen 32-bit words. As Vosar explained, instead of constant strings, position, one-time random number and key for each file, DarkSide fills each word with random data. This matrix is ​​then encrypted with the RSA public key and stored in the header and footer of the encrypted file.


According to Vosar, the Salsa20 matrix was previously used exclusively by the DarkSide faction. Additionally, DarkSide used an RSA-1024 implementation unique to its decryptor. Salsa20 and the RSA-1024 implementation are now used by the BlackMatter constellation.


Of course, there is no one hundred percent proof that BlackMatter is the new name of the same DarkSide, but the operations of both groups have a lot in common. The same language used on the sites, the same drive for media attention, and similar color themes for the TOR sites all indicate that BlackMatter is a rebranding of DarkSide.


Another fact that testifies in favor of the fact that BlackMatter and DarkSide are one and the same group is the public statement refusing to attack "the oil and gas industry (fuel pipelines and refineries)." After all, it was the attack on the fuel line that led to the closure of DarkSide operations.

Previous Post Next Post