{
	"id": "6ede10ea-1ac2-4968-9873-a675c5972af9",
	"created_at": "2026-04-06T00:08:43.431551Z",
	"updated_at": "2026-04-10T13:12:06.333412Z",
	"deleted_at": null,
	"sha1_hash": "3859baa964b3b34221a820a814ffbf0b0f9910c7",
	"title": "DarkSide ransomware gang returns as new BlackMatter operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2117069,
	"plain_text": "DarkSide ransomware gang returns as new BlackMatter operation\r\nBy Lawrence Abrams\r\nPublished: 2021-07-31 · Archived: 2026-04-05 13:39:22 UTC\r\nEncryption algorithms found in a decryptor show that the notorious DarkSide ransomware gang has rebranded as a new\r\nBlackMatter ransomware operation and is actively performing attacks on corporate entities.\r\nAfter conducting an attack on Colonial Pipeline, the US's largest fuel pipeline, and causing fuel shortages in the southeast of\r\nthe USA, the DarkSide ransomware group faced increased scrutiny by international law enforcement and the US\r\ngovernment.\r\nIn May, the DarkSide ransomware operation suddenly shut down after losing access to their servers and cryptocurrency was\r\nseized by an unknown third-party. \r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nIt was later learned that the FBI recovered 63.7 Bitcoins of the approximately 75 Bitcoin ($4 million) ransom payment made\r\nby Colonial Pipeline.\r\nThis week, a new ransomware operation known as BlackMatter emerged that is actively attacking victims and purchasing\r\nnetwork access from other threat actors to launch new attacks.\r\nBlackMatter data leak site\r\nBleepingComputer is aware of multiple victims targeted by BlackMatter with ransom demands ranging from $3 to $4\r\nmillion. One victim has already paid a $4 million ransom to BlackMatter this week to delete stolen data and receive both a\r\nWindows and Linux ESXi decryptor.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\nPage 3 of 5\n\nBlackMatter ransom note\r\nBlackMatter's encryption routines match DarkSide\r\nWhile researching the new ransomware group, BleepingComputer found a decryptor from a BlackMatter victim and shared\r\nit with Emisosft CTO and ransomware expert Fabian Wosar.\r\nAfter analyzing the decryptor, Wosar confirmed that the new BlackMatter group is using the same unique encryption\r\nmethods that DarkSide had used in their attacks.\r\nWosar told BleepingComputer that the encryption routines used by BlackMatter are pretty much the same, including a\r\ncustom Salsa20 matrix unique to DarkSide.\r\nWhen encrypting data using the Salsa20 encryption algorithm, a developer provides an initial matrix consisting of sixteen\r\n32-bit words.\r\nSalsa20 matrix\r\nSource: Wikipedia\r\nWhen encrypting files, Fabian told BleepingComputer that instead of using constant strings, a position, nonce, and key, for\r\neach encrypted file, DarkSide fills the words with random data.\r\nThis matrix is then encrypted with a public RSA key and stored in the footer of the encrypted file.\r\nFabian says this Salsa20 implementation was previously only used by DarkSide, and now BlackMatter.\r\nBleepingComputer was also told that DarkSide used an RSA-1024 implementation unique to their encryptor, which\r\nBlackMatter also uses.\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\nPage 4 of 5\n\nWhile there is not 100% proof that BlackMatter is a rebrand of the DarkSide operation, many similar characteristics make it\r\nhard to believe this is not the case.\r\nWhen we take the same encryption algorithms, the similar language used on the BlackMatter sites, similar craving of media\r\nattention, and similar color themes for their TOR sites, it is highly like that BlackMatter is the new DarkSide.\r\nA rebrand from DarkSide also explains the reason the new BlackMatter group won't target the \"Oil and Gas industry\r\n(pipelines, oil refineries),\" which led to their previous downfall.\r\nUnfortunately, this is a highly skilled group that targets multiple device architectures, including Windows, Linux, and ESXi\r\nservers.\r\nDue to this, we will need to keep an eye on this new group as they will surely perform attacks on well-known targets in the\r\nfuture.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\nhttps://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/"
	],
	"report_names": [
		"darkside-ransomware-gang-returns-as-new-blackmatter-operation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434123,
	"ts_updated_at": 1775826726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3859baa964b3b34221a820a814ffbf0b0f9910c7.pdf",
		"text": "https://archive.orkl.eu/3859baa964b3b34221a820a814ffbf0b0f9910c7.txt",
		"img": "https://archive.orkl.eu/3859baa964b3b34221a820a814ffbf0b0f9910c7.jpg"
	}
}