{ "id": "8a4779b8-cd31-4ff3-896f-e72f3b6064ab", "created_at": "2026-04-06T00:12:29.576399Z", "updated_at": "2026-04-10T13:12:06.148287Z", "deleted_at": null, "sha1_hash": "61281c78fa12cfb8877da1b6b08379849477eed3", "title": "BlackMatter ransomware targets companies with revenue of $100 million and more", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 202515, "plain_text": "BlackMatter ransomware targets companies with revenue of $100\r\nmillion and more\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-12 · Archived: 2026-04-05 15:54:22 UTC\r\nA new ransomware gang launched into operation this week, claiming to combine the best features of the\r\nnow-defunct Darkside and REvil ransomware groups, Recorded Future analysts have discovered.\r\nNamed BlackMatter, the group is currently recruiting affiliates (collaborators) through ads posted on two\r\ncybercrime forums named Exploit and XSS.\r\nAlthough ads for ransomware operations have been banned on the two forums since May, the BlackMatter group\r\nis not advertising its Ransomware-as-a-Service (RaaS) offering directly but has posted ads for recruiting \"initial\r\naccess brokers,\" a term used to describe individuals with access to hacked enterprise networks.\r\nAccording to the gang's ads, BlackMatter is interested in working with brokers who can grant it access to apex\r\ncorporate networks—for companies that have revenues of $100 million/year or larger.\r\nPer the BlackMatter gang, the networks need to have between 500 and 15,000 hosts and be located in the US, the\r\nUK, Canada, or Australia.\r\nhttps://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/\r\nPage 1 of 4\n\nThe BlackMatter group says it is willing to pay up to $100,000 for exclusive access to any of these high-value\r\nnetworks.\r\nOnce the group finds a suitable target, they will use the access granted by the broker to deploy tools that take over\r\na company's internal systems and then deploy their file-encrypting payload.\r\nThe group boasted about having the ability to encrypt different operating system versions and architectures. This\r\nincludes the likes of Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+\r\nvirtual endpoints, and network-attached storage (NAS) devices (such as Synology, OpenMediaVault, FreeNAS,\r\nand TrueNAS).\r\nBlackMatter also operates a dark web leak site\r\nJust like most top-tier ransomware gangs today, BlackMatter also operates a website on the dark web—called\r\na leak site—where it intends to publish data they steal from their victims if the hacked company does not agree to\r\npay to decrypt their files.\r\nThis site is currently empty, confirming that the BlackMatter group only launched this week and did not carry out\r\nany intrusions just yet.\r\nIn a section of this website, the BlackMatter group also lists a spectrum of targets that they do not intend to attack.\r\nThis includes [sic]:\r\nHospitals.\r\nCritical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).\r\nOil and gas industry (pipelines, oil refineries).\r\nDefense industry.\r\nNon-profit companies.\r\nhttps://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/\r\nPage 2 of 4\n\nGovernment sector.\r\nThe BlackMatter gang claims that if a victim from these industry verticals is infected, they plan to decrypt their\r\ndata for free.\r\nThis section is eerily similar to a section that was previously available on the leak site of the Darkside gang,\r\nwhich ceased operations after an attack on US pipeline operator Colonial.\r\nRecorded Future analysts, who spotted this new group's infrastructure earlier this week, told The Record that\r\nbased on the observed evidence so far, they believe that there is a connection between BlackMatter and the former\r\nDarkside group, although this connection is still under investigation.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nhttps://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/\r\nPage 3 of 4\n\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/\r\nhttps://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/" ], "report_names": [ "blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more" ], "threat_actors": [], "ts_created_at": 1775434349, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/61281c78fa12cfb8877da1b6b08379849477eed3.pdf", "text": "https://archive.orkl.eu/61281c78fa12cfb8877da1b6b08379849477eed3.txt", "img": "https://archive.orkl.eu/61281c78fa12cfb8877da1b6b08379849477eed3.jpg" } }