New Ransomeware Gangs Appear on Cybercrime Forums

30th July 2021, Kathmandu

This month, two new ransomware service (RaaS) programs appeared on the threat radar. One of them claimed to be the successor of DarkSide and Ravil. These two notorious ransomware groups have conducted attacks on Colonial. Pipeline and Kaseya in the past. Go offline after a major attack. Months.

“The project has integrated the best features of DarkSide, REvil, and LockBit into itself,” the operator behind the new BlackMatter group said on its public dark web blog, promising not to attack organizations in various industries, including healthcare, Critical infrastructure, oil and gas, national defense, non-profit organizations, and government agencies.

According to Flashpoint, the threat actor BlackMatter registered an account on the Russian XSS and Exploited Forum on July 19, then quickly followed up and posted a post stating that they were seeking to purchase a pair containing 500 hosts and 15,000 The access rights to the infected corporate network of the host are in the United States, Canada, Australia, and the United Kingdom, with annual revenue of more than $100 million, which may indicate the existence of large-scale ransomware operations.

“The attacker deposited 4BTC (approximately $150,000) into his escrow account. The large deposits on the forum indicate the severity of the threat actors,” Flashpoint researchers said in a report. “BlackMatter did not publicly state that they are collective ransomware operators. Technically speaking, this does not violate the forum rules, although the language of their posts and their targets clearly indicate that they are collective ransomware operators.”

On July 27, the organization reportedly began actively recruiting partners and affiliates, using the Exploit forum’s Jabber server to post their hiring information. They claimed to be looking for penetration tests with experience familiar with Windows and Linux systems and Windows and Linux systems. When staff initially visit the provider, they either sell their visits for a certain percentage of profit.

Last month, corporate security firm Proofpoint revealed how ransomware groups increasingly buy access from independent cybercriminal groups who infiltrate their main targets and then provide them with an entry point to implement theft and encryption operations. Of data in exchange for some illicit profits.