BlackMatter and Haron ransomware groups emerge after DarkSide and REvil disappear

A new ransomware group launched into operation this week, claiming to combine the best features of the now-defunct Darkside and REvil ransomware groups. Named BlackMatter, the group is currently recruiting affiliates (collaborators) through ads posted on two cybercrime forums named Exploit and XSS.

According to security firm Recorded Future, BlackMatter claims the project "has incorporated in itself the best features of DarkSide, REvil, and LockBit." In their blog, the threat actor group claims not to conduct attacks against organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government.

BlackMatter, a member of the top-tier forum Exploit and likely an operator of BlackMatter ransomware, is currently advertising the purchase of access to corporate networks in the US, Canada, Australia, and the U.K. The threat actor is interested in all industries, except healthcare and governments, and has the following requirements for targets:

Revenue of $100 million and more
500-15,000 hosts in the network

BlackMatter, like most top-tier ransomware gangs today, also operates a website on the dark web - or leak site - where it intends to publish data they steal from their victims if the hacked company does not pay the ransom. Because the site is currently empty, Recorded Future analysts believe the group only launched this week and has not yet begun targeting any big corporations.

Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, "More threat actors are doing their due diligence when it comes to selecting victims. We've seen time and again when they have some knowledge around key personalities within an organization, revenue, size, and even customers, so the idea of big game hunting seems to be in line with observed ransomware trends.

Nikkel adds, "The interesting twist is the continued public stance against specific industries and promises to help victims. While REvil had publicly stated that everything was fair game previously, maybe this cooling-off period from previous attention has forced a change of heart if it is indeed them coming back. Either way, time will tell if these groups are the repackaged or rebranded versions of adversaries we knew from before or if they'll even follow their own rules."

A second group is calling itself Haron, also discovered in July 2021. According to Ars Technica, a sample of the Haron malware was first submitted to VirusTotal on July 19. Three days later, South Korean security firm S2W Lab discussed the group in a post. Most of the group's site on the dark web is password protected by "extremely weak credentials." Past the login page, there's a list of alleged targets, a chat transcript, and the group's explanation of its mission. In addition, Haron is using Thanos Ransomware to infect victims. Thanos is a ransomware-as-a-service that has been sold since 2019.

Both groups claim their goal is to target corporations and large businesses with the money to pay ransoms in the millions of dollars. The news of the two ransomware groups comes on the heels of recent ransomware attacks of Colonial Pipeline, meatpacker JBS, and managed network provider Kaseya - all of which caused massive disruptions and drew the attention of U.S. federal agencies and President Joe Biden, inspiring legislation to modernize critical infrastructure and defend industrial controls against cybercriminals.

Andrew Barratt, Managing Principal, Solutions and Investigations at Coalfire, a Westminster, Colo.-based provider of cybersecurity advisory services, says, "Ransomware is really the rapid monetization unicorn of cybercriminals of the moment. With large-scale ransoms being paid, easy execution, and a very broad attack surface, criminals are less likely to be targeting data for sale or payment card information for onward fraudulent use. Ransomware can be executed by rogue nations, terrorist organizations, as well as large-scale organized crime. It can be bought on a SaaS basis and delivers quite a high return. Until we stop paying out on ransoms, we're going to see more attacks. Monetary incentives trump everything from a criminal perspective. However, the ability to pivot the attack to be debilitating to an organization for either extortion or espionage is what makes this the threat that isn't going away anytime soon."

Security researchers at Recorded Future questioned if BlackMatter has connections to either DarkSide or REvil, which suddenly went dark after the cyberattacks on JBS and Kaseya and Colonial Pipeline, which generated more attention than the groups wanted. "Anyone who attributed the disappearance of REvil to actions by law enforcement, and hasn't anticipated a re-emergence, should rethink things. There is also a good chance that REvil decided proactively to take down everything and to re-emerge, just to make tracking and tracing even more difficult," says Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, a provider of change management software.

Schrader explains, "Any saber-rattling by the U.S. Government about kinetic responses and hack-backs will not change the situation. Ransomware groups will continue to look for attack vectors that are likely to have a higher motivation for payment, and that is the next evolution in this business. We already see the early effects: Kaseya, SolarWinds, tools that promise access to high-value assets, where an organization's revenue stream and reputation depend. The recently added capability of encrypting ESXi servers is a harbinger of what will come, and CISA's recent alert about the top routinely exploited vulnerabilities includes a warning about CVE-2021-21985 as well. In essence, not paying a ransom is the only angle that will – over time – eradicate ransomware. And to be positioned for that, companies will have to minimize and protect their attack surface, harden their systems and infrastructure, manage existing accounts properly and delete old ones, patch vulnerabilities according to risks, and be able to operate in a cyber-resilient manner when under attack."

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?