Encryption algorithms present in a decryptor present that the infamous DarkSide ransomware gang has rebranded as a brand new BlackMatter ransomware operation and is actively performing assaults on company entities.
In Could, the DarkSide ransomware operation shut down after shedding entry to their servers and cryptocurrency was seized.
This week, a new ransomware operation known as BlackMatter emerged that’s actively attacking victims and buying community entry from different menace actors to launch new assaults.
BleepingComputer is conscious of 1 sufferer who paid BlackMatter $4 million does this week to delete any stolen knowledge and supply each Home windows and Linux ESXi decryptors.
Whereas researching the brand new ransomware group, BleepingComputer discovered a decryptor from a BlackMatter sufferer and shared it with Emisosft CTO and ransomware professional Fabian Wosar.
After analyzing the decryptor, Wosar confirmed that the brand new BlackMatter group is utilizing the identical distinctive encryption strategies that DarkSide had used of their assaults.
After wanting right into a leaked BlackMatter decryptor binary I’m satisfied that we’re coping with a Darkside rebrand right here. Crypto routines are an actual copy just about for each their RSA and Salsa20 implementation together with their utilization of a customized matrix.
— Fabian Wosar (@fwosar) July 31, 2021
Wosar instructed BleepingComputer that the encryption routines utilized by BlackMatter are just about the identical, together with a customized Salsa20 matrix distinctive to DarkSide.
When encrypting knowledge utilizing the Salsa20 encryption algorithm, a developer offers an preliminary matrix consisting of sixteen 32-bit phrases.
When encrypting information, Fabian instructed BleepingComputer that as a substitute of utilizing fixed strings, a place, nonce, and key, for every encrypted file, DarkSide fills the phrases with random knowledge.
This matrix is then encrypted with a public RSA key and saved within the footer of the encrypted file.
Fabian says this Salsa20 implementation was beforehand solely utilized by DarkSide, and now BlackMatter.
BleepingComputer was additionally instructed that DarkSide used an RSA-1024 implementation distinctive to their encryptor, which BlackMatter additionally makes use of.
Whereas there may be not 100% proof that BlackMatter is a rebrand of the DarkSide operation, many related traits make it laborious to consider this isn’t the case.
Once we take the identical encryption algorithms, the same language used on the BlackMatter websites, related craving of media consideration, and related colour themes for his or her TOR websites, it’s extremely like that BlackMatter is the brand new DarkSide.
A rebrand from DarkSide additionally explains the rationale the brand new BlackMatter group will not goal the “Oil and Fuel trade (pipelines, oil refineries),” which led to their earlier downfall.
Sadly, this can be a extremely expert group that targets a number of machine architectures, together with Home windows, Linux, and ESXi servers.
Attributable to this, we might want to keep watch over this new group as they may absolutely carry out assaults on well-known targets sooner or later.