Malicious group that attacked Colonial Pipeline rebrands itself, and sends warning to US
According to leading cyber researchers, the DarkSide group, which dropped under the radar after the FBI recovered much of the ransom paid by Colonial Pipeline, has resumed activity under a different name. "We believe in our motherland, we love our families," a representative of the group said in an interview
Cybertech
| 05/08/2021
BIGSTOCK: Copyright: AndreyPopov
It carried out a sophisticated ransomware attack on the main fuel pipeline in the U.S. that is considered a watershed moment that led to the U.S. administration's rethinking of cybersecurity, and even to regulatory changes, and then dropped under the radar after the FBI recovered more than half of the ransom paid (about $2.3 million out of the $4 million paid in bitcoin) by the victim, Colonial Pipeline. Now, a little more than two months later, DarkSide has resumed activity under a different name.
According to the Bleeping Computer website, which has served as a communication pipeline between cybercriminals and their victims, the group resumed activity last week under the name BlackMatter. The website said that it "is aware of multiple victims targeted by BlackMatter with ransom demands ranging from $3 to $4 million," adding that "One victim has already paid a $4 million ransom to BlackMatter this week to delete stolen data and receive both a Windows and Linux ESXi decryptor".
The researchers of the site examined the algorithms that were found in the decryptors and determined that they are from the same group because BlackMatter is using the same unique encryption methods as DarkSide. Although the researchers said it cannot be determined with absolute certainty, they claimed that the many similar characteristics leave little room for doubt. It should be noted that in reports on dark web forums, members of BlackMatter wrote that the group combined the features of DarkSide and REvil (which was behind the attacks on Microsoft Exchange and Kaseya this year). All of the groups operate in Russian.
The BlackMatter group is drawing a great amount of interest. On Monday, The Record website, belonging to American cybersecurity company Recorded Future, published an interview conducted by one of the company's cyber experts, Dmitry Smilyanets, with a member of BlackMatter that provided a fascinating glimpse of its methods and motivations. The member rejected claims that the group is actually DarkSide. "We are familiar with the DarkSide team from working together in the past but we are not them, although we are intimate with their ideas."
"The product has been in development for the last six months. Perhaps it seems simple, but it is not—what users see publicly is the tip of the iceberg," said the member of the malicious group in the interview (that was conducted in Russian and translated into English), adding that as long as the negotiations with the attacked companies are successful, the group does not publish anything on the public blog. The representative also said BlackMatter studied the products of other leading attack groups in great detail. "The executable itself has incorporated the ideas of LockBit, REvil, and partly DarkSide. The web part has incorporated the technical approach of DarkSide since we consider it the most structurally correct."
"We are monitoring the political situation, as well as receiving information from other sources," the representative said in response to a question regarding the significant activity by the U.S. in the cyber domain. "When designing our infrastructure, we took into account all these factors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long? Time will tell. For now, we are focusing on long-term work," said the representative in a not-so-subtle warning. Biden, take note.
The representative also said that the group is interested in targeting large companies with annual revenue of more than $100 million, but it will not extort healthcare, critical infrastructure, oil and gas (and thus already differentiating itself from DarkSide), defense, non-profit, and government organizations. "We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us," adding that "our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data." In conclusion, the representative said "There are no secrets, but we believe in our motherland, we love our families, and we earn money for our children."
According to leading cyber researchers, the DarkSide group, which dropped under the radar after the FBI recovered much of the ransom paid by Colonial Pipeline, has resumed activity under a different name. "We believe in our motherland, we love our families," a representative of the group said in an interview
BIGSTOCK: Copyright: AndreyPopov
It carried out a sophisticated ransomware attack on the main fuel pipeline in the U.S. that is considered a watershed moment that led to the U.S. administration's rethinking of cybersecurity, and even to regulatory changes, and then dropped under the radar after the FBI recovered more than half of the ransom paid (about $2.3 million out of the $4 million paid in bitcoin) by the victim, Colonial Pipeline. Now, a little more than two months later, DarkSide has resumed activity under a different name.
According to the Bleeping Computer website, which has served as a communication pipeline between cybercriminals and their victims, the group resumed activity last week under the name BlackMatter. The website said that it "is aware of multiple victims targeted by BlackMatter with ransom demands ranging from $3 to $4 million," adding that "One victim has already paid a $4 million ransom to BlackMatter this week to delete stolen data and receive both a Windows and Linux ESXi decryptor".
The researchers of the site examined the algorithms that were found in the decryptors and determined that they are from the same group because BlackMatter is using the same unique encryption methods as DarkSide. Although the researchers said it cannot be determined with absolute certainty, they claimed that the many similar characteristics leave little room for doubt. It should be noted that in reports on dark web forums, members of BlackMatter wrote that the group combined the features of DarkSide and REvil (which was behind the attacks on Microsoft Exchange and Kaseya this year). All of the groups operate in Russian.
The BlackMatter group is drawing a great amount of interest. On Monday, The Record website, belonging to American cybersecurity company Recorded Future, published an interview conducted by one of the company's cyber experts, Dmitry Smilyanets, with a member of BlackMatter that provided a fascinating glimpse of its methods and motivations. The member rejected claims that the group is actually DarkSide. "We are familiar with the DarkSide team from working together in the past but we are not them, although we are intimate with their ideas."
"The product has been in development for the last six months. Perhaps it seems simple, but it is not—what users see publicly is the tip of the iceberg," said the member of the malicious group in the interview (that was conducted in Russian and translated into English), adding that as long as the negotiations with the attacked companies are successful, the group does not publish anything on the public blog. The representative also said BlackMatter studied the products of other leading attack groups in great detail. "The executable itself has incorporated the ideas of LockBit, REvil, and partly DarkSide. The web part has incorporated the technical approach of DarkSide since we consider it the most structurally correct."
"We are monitoring the political situation, as well as receiving information from other sources," the representative said in response to a question regarding the significant activity by the U.S. in the cyber domain. "When designing our infrastructure, we took into account all these factors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long? Time will tell. For now, we are focusing on long-term work," said the representative in a not-so-subtle warning. Biden, take note.
The representative also said that the group is interested in targeting large companies with annual revenue of more than $100 million, but it will not extort healthcare, critical infrastructure, oil and gas (and thus already differentiating itself from DarkSide), defense, non-profit, and government organizations. "We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us," adding that "our business does not harm individuals and is aimed only at companies, and the company always has the ability to pay funds and restore all its data." In conclusion, the representative said "There are no secrets, but we believe in our motherland, we love our families, and we earn money for our children."
