BlackMatter Ransomware Claims to Follow REvil & DarkSide

A new ransomware-as-a-service appears with tools and techniques from DarkSide, REvil, and LockBit 2.0.

Dark Reading Staff, Dark Reading

August 10, 2021

1 Min Read
Dark Reading logo in a gray background | Dark Reading

BlackMatter, a new ransomware-as-a-service (RaaS), has appeared on the threat landscape and brought tools and techniques from DarkSide, REvil, and the still-active LockBit 2.0.

SophosLabs researchers took a closer look at the malware, which emerged after DarkSide RaaS shut down its operations after an affiliate hit Colonial Pipeline, and after REvil went dark after its attack on Kaseya. BlackMatter's operators claim their ransomware "incorporates the best features" of DarkSide, REvil, and LockBit 2.0," and while they are close to DarkSide operators, they are not the same group.

"There are a number of factors that suggest a connection between BlackMatter and DarkSide," states SophosLabs' Mark Loman in a blog post. "However, this is not simply a rebranding from one to another. Malware analysis shows that while there are similarities with DarkSide ransomware, the code is not identical."

Their similarities include a partial encryption scheme, which BlackMatter, DarkSide, and LockBit 2.0 all use. They only encrypt a portion of the entire file, which shortens the duration of an attack because a small amount of the file is read and overwritten.

Like REvil, LockBit 2.0, and DarkSide, BlackMatter tries to elevate privileges when limited by User Account Control. And like DarkSide and REvil, it uses a runtime API that can hamper static analysis of the ransomware. Researchers note that the way in which the runtime API and string decryption function in BlackMatter is similar to the same functionality in DarkSide and REvil.

Read the full blog post for more details on similarities in the ransomware.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights