Darkside ransomware operators lost their servers and money

[Teacher]

The criminal group behind Darkside shut down its RaaS (Ransomware-as-a-Service) service, cut off related resources and promised to issue decryptors to partners for the affected companies. The corresponding announcement was published on one of the hacker forums after the owners of the malware lost access to the open part of their infrastructure and lost the cryptocurrency received from the victims of the infection. As an additional reason for the closure of the affiliate program, the owners of Darkside called pressure from the American authorities. Following an attack on the Colonial Pipeline that disrupted the supply of gas to half of the US East Coast, President Joe Biden pledged that the barbarians would not go unpunished. The FBI has already launched an investigation, and, judging by the entry of a representative of the Darkside service, access to the hosting was blocked at the filing of law enforcement agencies. There has not yet been an official statement from the authorities about this. It is possible that the threat of persecution is just a cover; the attackers decided to simply run away with their partners' money so as not to share it. Such fraud is known in the criminal environment as an exit scam.

Be that as it may, the site on which the Darkside operators published the data stolen from the attacked companies is currently not available either. Their payment server on the Tor network at the end of last week still worked - if it seized the guardians of law and order, they would probably have decided to give the victims the opportunity to get the decryption key. By the way, a free analogue of the descriptor for Darkside is available to everyone in need since January of this year, it can be downloaded from the website of the information security company Bitdefender. The hype in the press over the devastating attack on the Colonial Pipeline discouraged everyone involved with the spread of ransomware. The largest underground forums XSS and Exploit began to clean their pages from advertising such malware and related services, deciding that such close attention to this topic could harm them. Operators Raas-service REvil and Avaddon, Darkside closest competitors, jointly announced on Exploit the introduction of restrictions on the target, prohibiting partners to attack hospitals, schools and government agencies. They also reduced the number of affiliate programs and decided to work only with a narrow circle of trusted associates. Security experts expect that after the leading RaaS services go into the shadows, their orphaned clients will continue their malicious operations, but already as part of small groups, under new names and with updated versions of ransomware. They will also have to change their cryptocurrency laundering service provider - a mixer: the popular cybercriminal service BitMix, which was used by the partners of Darkside, REvil and Avaddon, fell out of access and seems to have ceased to exist.

 

[Tomcat]

Is BlackMatter the new name for the DarkSide faction?

The cryptographic algorithms used in the tool to decrypt files encrypted by the recently emerging cyber ransomware group BlackMatter indicate that BlackMatter is the same sensational cybercriminal group DarkSide, but with a different name.
After a high-profile cyberattack on the Colonial Pipeline, the largest pipeline operator in the United States, which led to a shortage of gasoline along the entire southeast coast of the country, law enforcement agencies around the world, and especially American ones, began a real hunt for DarkSide. In May of this year, the group suddenly lost access to its servers and cryptocurrency assets, which were seized by unknown persons, and was forced to terminate its operations. As it became known later, the FBI managed to take 63.7 bitcoins from DarkSide out of 75 paid by Colonial Pipeline to ransomware for file recovery.
A new group called BlackMatter entered the cyber ransomware arena this week, announcing on hacker forums that it is ready to pay up to $ 100,000 for access to corporate networks of large companies. At the same time, she is only interested in companies with an annual income of $ 100 million or more.
According to BleepingComputer, BlackMatter already has at least one victim who has paid a $ 4 million ransom for decryptors for their Windows and Linux ESXi devices. The portal managed to obtain this decryptor, which it handed over to information security expert Fabian Wosar for analysis.
According to Vosar, BlackMatter uses the same unique encryption method as DarkSide. The process of data encryption itself (in particular, the use of Salsa20 matrix exclusive to DarkSide) BlackMatter is almost identical to DarkSide.
In the process of encrypting data using the Salsa20 cryptographic algorithm, the developer provides an initial matrix of sixteen 32-bit words. As Vosar explained, instead of constant strings, position, one-time random number and key for each file, DarkSide fills each word with random data. This matrix is then encrypted using the RSA public key and stored in the header and footer of the encrypted file.
According to Vosar, the Salsa20 matrix was previously used exclusively by the DarkSide faction. Additionally, DarkSide used an RSA-1024 implementation unique to its decryptor. Salsa20 and the RSA-1024 implementation are now used by the BlackMatter constellation.
Of course, there is no one hundred percent proof that BlackMatter is the new name of the same DarkSide, but the operations of both groups have a lot in common. The same language used on the sites, the same drive for media attention, and similar color themes for the TOR sites all indicate that BlackMatter is a rebranding of DarkSide.
Another fact that testifies in favor of the fact that BlackMatter and DarkSide are one and the same group is the public statement refusing to attack "the oil and gas industry (fuel pipelines and refineries)." After all, it was the attack on the fuel line that led to the closure of DarkSide operations.