A New Ransomware Player: BlackMatter
The BlackMatter ransomware is currently targeting companies with revenue of at least $100 million. The cybercriminals say they won’t target hospitals, defense industry, non-profit and government organizations, as well as critical infrastructure facilities, such as nuclear power plants and water treatment facilities.
The new ransomware gang is also looking for affiliates and collaborators, as evident by ads posted on the Exploit and XSS underground forums. It is noteworthy that ransomware ads were banned on the two forums. To circumvent this, the cybercriminals are not advertising their service as a RaaS. Instead, they claim they are looking to recruit “initial access brokers.” This term is typically used to describe people who offer access to hacked enterprise networks.
BlackMatter Ransomware Targets Specific Companies
As evident by the ads, the BlackMatter gang is specifically interested in apex corporate networks that belong to companies with revenue higher than $100 million per year. The networks, which should be located in the US, the UK, Canada, or Australia, should have between 500 and 15,000 hosts. The cybercrime gang is ready to pay up to $100,000 for exclusive access. Once such access is obtained, the gang will take over the target’s internal systems to run their file-encrypting payload. The BlackMatter ransomware claims to be capable of encrypting various operating system versions and architectures, such as Windows, Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and NAS devices such as Synology, FreeNAS, etc.
According to Recorded Future, BlackMatter also runs a leak site, where stolen victim data of hacked companies should be published, unless the ransom demand is met. The leak site doesn’t feature any information at the moment, meaning that the group hasn’t launched any attacks yet. However, according to the available information so far, researchers believe there is a connection between BlackMatter and DarkSide ransomware.
This is not the only recently emerged ransomware player. A few weeks ago, Fortinet reported the discovery of the so-called Diavol ransomware. The new ransomware was uncovered at the beginning of June, when Fortinet prevented a ransomware attack targeting one of its customers.