Security experts expect to see BlackMatter ransomware gang again soon

Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information — © AFP

Further to the news that ransomware group BlackMatter, has ceased operations, many security experts are concerned that the group has not fully disappeared.

To canvass opinion, Digital Journal caught up with r George Glass, Redscan head of threat intel and Dr Süleyman Özarslan, co-founder of Picus Security and head of Picus Labs.

Picus is a Turkish security company specialising in simulating the attacks of cybercriminal gangs (including BlackMatter and DarkSide before them). 

What was BlackMatter?

BlackMatter was a relatively new ransomware threat discovered at the end of July 2021.

This group started with a run of attacks and some advertising from its developers that claims they take the best parts of other malware, such as  GandCrabLockBit  and DarkSide. According to McAfee Enterprise Advanced Threat Research (ATR), the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the U.S. government and law enforcement agencies around the world.

The main goal of BlackMatter was to encrypt files in the infected computer and demand a ransom for decrypting them. The goal is to steal files and private information from compromised servers and request an additional ransom to not publish on the Internet.

Dr Süleyman Özarslan, Picus Security

According to Özarslanwe can expect the same hacker group to return in a different guise,: “BlackMatter is operated by the same criminals behind the DarkSide ransomware gang so it’s highly likely that the perpetrators will reform under a different guise.”

This occurs, says Özarslan because: “Ransomware gangs are highly resilient and typically rebrand in 6-month cycles. After the Colonial Pipeline attack, for example, Darkside was banned from many cybercrime forums for attacking a provider of critical infrastructure – prompting the decision to reform under a new name.”   

These rogue actors are driven by “The high…