Skip to content ↓ | Skip to navigation ↓

A new ransomware gang that calls itself BlackMatter has launched itself on the dark web, and is actively attempting to recruit criminal partners and affiliates to attack large organisations in the United States, UK, Canada, and Australia.

As experts at Recorded Future describe, the BlackMatter gang is advertising for “initial access brokers” – individuals who can gain unauthorised access to enterprise networks, which can then be infected by ransomware.

For such access, BlackMatter is prepared to pay up to $100,000 for exclusive access to an organisation’s network upon which they can deploy ransomware and exfiltrate data.

In “rules” published on its website, the BlackMatter ransomware group states that it does not attack the following types of organisation:

  • Hospitals.
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
  • Oil and gas industry (pipelines, oil refineries).
  • Defense industry.
  • Non-profit companies.
  • Government sector.

The site goes on to say that if an organisation has been hit by its ransomware and qualifies under the above criteria then they can ask for free decryption.

The birth of BlackMatter appears, perhaps uncoincidentally, to coincide with the demise of the notorious DarkSide and REvil ransomware gangs following a series of high-profile attacks that caught the attention of the media worldwide and the US government.

Clearly, nature abhors a vacuum. It doesn’t take long for criminals to fill the space left following the demise of a ransomware gang or two.

Whether BlackMatter is effectively a rebrand of REvil or DarkSide, or simply another group of opportunistic cybercriminals mimicking the behaviour of a notorious ransomware gang, is difficult to say for certain.

But one thing is clear – it’s all about extorting cash:

“We are a team that unites people according to one common interest – money”

For now, there’s no evidence that BlackMatter has successfully infiltrated any organisations or made any money from its promised ransomware endeavours. However, it has deposited 4 Bitcoins (approximately US $120,000) into an escrow account, with the seeming intention to use it to fund partners going forward.

As such it would seem unwise to treat BlackMatter as anything but a serious potential threat.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.