Not long after Kaseya announced that they have obtained a decryptor key to rescue companies that were affected by the REvil ransomware attack, rumours that the gang has rebranded to BlackMatter have surfaced.
All REvil websites went dark and completely disappeared from the internet after the US government ordered the FBI to investigate the attack of more than 1 000 companies in a ransomware attack.
However, it is rather too soon for the gang to make a comeback and one that is rather a little bit too dramatic and attracts controversy too — under the name ‘BlackMatter’ — which some of the folks on social media associate with the Black Lives Matter movement.
Other sources say that this name completely has nothing to do with the movement and suspect that this is a resurgence of a different ransomware group called DarkSide. This particular group is Eastern Europe-based and it made its first appearance in August 2020, according to reports.
REvil ransomware: DarkSide series of events
In October 2020, DarkSide donated $20 000 (almost R300 000) stolen from victims to charity. The following month the group established its RaaS model and invited other criminals to use its services. A DarkSide data leak site was later discovered. During the same month, the group launched a content delivery network (CDN) for storing and delivering compromised data.
The group ransomware actor invited media outlets and data recovery organisations to follow the group’s press centre on the public leak site. It gets even more interesting. The group released a 2.0 version of their ransomware with more updates.
In March 2021, DarkSide struck, launching the Colonial Pipeline attack. After the attack, Darkside announced it is apolitical and that it would start evaluating its targets.
BlackMatter: What’s the deal with this ‘new’ ransomware group?
Fabian Wosar, Chief Technology Officer of Emsisoft and “slayer of ransomware”, as he calls himself, hinted in a tweet that the BlackMatter ransomware portal looks very similar to that of DarkSide.
“I guess once you go ransomware threat actor, you continue to stay on the Darkside,” Wosar teased.
“Seriously though: Unless we find a payload to compare, there is no way to confirm whether this is an actual Darkside rebrand,” he added.
Wosar also noted that it is common for ransomware threat actors to steal each other’s portal designs.
Well, is REvil back?
Truth is, no one really knows. According to Wosar, a victim was hit by a REvil variant, which he assumes that the attacker patched an existing REvil payload.
He believes that this is not the work of the original REvil operators or someone who has access to the REvil source code. He said that it is most likely an ex-affiliate who didn’t want to accept that “his favourite ransomware operator went dark.”
REvil has since gone dark on all of its websites after Joe Biden ordered an investigation on the gang. Biden had also warned Putin that there would be consequences if the Russian government has anything to do with the Kaseya ransomware attack that affected over 1000 companies. He also said that Putin should stop protecting hackers.