A new ransomware group has been uncovered with multiple similarities to the disbanded DarkSide gang.

The resemblance of the BlackMatter ransomware group’s attacks strategies to the former gang are so close that many cybersecurity experts believe the new operation is simply the DarkSide outfit rebranded.

A ransomware gang on the run

After successfully conducting a targeted attack on America’s biggest fuel pipeline, Colonial Pipeline, which caused largescale fuel shortages in the US’s southeast, the DarkSide ransomware gang came to the attention of the authorities. With both the US Government and global law enforcement agencies scrutinising their activities, the gang lost access to their cryptocurrency holdings and servers and summarily shut down.

Colonial Pipeline had made a Bitcoin payment equating to £2.8m the gang, but the Federal Bureau of Investigation (FBI) manged to recover around two thirds of the ransom. The DarkSide gang left hacker forums it frequented and appeared to have disappeared from the cybercriminal world.

Recently, however, the BlackMatter ransomware gang has appeared, buying network access to launch attacks against new victims from other threat actors. Multiple targets have so far been hit by the new operation, which typically requests ransoms in the range of $3m to $4m. Already, one victim has submitted to the group’s demands and paid BlackMatter a $4m ransom in return for deleting data stolen during a breach, and to receive dedicated decryption devices to unlock essential data files being withheld from them by the gang.

Encryption routines used that match DarkSide’s tactics

IT help site BleepingComputer discovered a decryptor given to a BlackMatter target in return for a ransomware payout and shared it with Chief Technical Officer (CTO) for Emsisoft, Fabian Wosar, who is an expert in the field of ransomware.

The CTO analysed the decryption solution and confirmed that the BlackMatter ransomware gang is employing the same unique methods of encryption formerly used by DarkSide in its attacks.

Wosar explained that these encryption routines employed by new gang include a bespoke “Salsa20 matrix” that is, to date, unique to the DarkSide ransomware gang.

When data is encrypted employing this encryption algorithm, the developer will initially provide a matrix that consists of 16 individual 32-bit words. The CTO stated that when encrypting data files, DarkSide will fill in the words with randomised data instead of employing constant strings, nonce, position, and key for every file encrypted.

This dedicated matrix is then entirely encrypted with a specific public Rivest–Shamir–Adleman (RSA) key before being stored within the footer of data file that has been encrypted. Until it was found being used by BlackMatter, the Salsa20 encryption had only been seen utilised by DarkSide.

Additionally, both BlackMatter and DarkSide both use the implementation RSA-1024, unique to their chosen encryptor. BlackMatter’s various sites also use similar language and colour themes to the DarkSide group’s online presence.

Although concrete proof that BlackMatter is just the DarkSide ransomware gang rebranded does not yet exist, these similarities make it a distinct possibility.