{
	"id": "f68b247c-5df8-4e4f-9d11-781c874aa6a1",
	"created_at": "2026-04-06T00:16:27.628528Z",
	"updated_at": "2026-04-10T13:12:32.028709Z",
	"deleted_at": null,
	"sha1_hash": "bfac1a23c7366a29f815edf0a494dd9a124d9123",
	"title": "An interview with BlackMatter: A new ransomware group that's learning from the mistakes of DarkSide and REvil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 182621,
	"plain_text": "An interview with BlackMatter: A new ransomware group that's\r\nlearning from the mistakes of DarkSide and REvil\r\nBy Dmitry Smilyanets\r\nPublished: 2023-01-04 · Archived: 2026-04-05 13:01:22 UTC\r\nEditor’s Note: In July, a new ransomware gang started posting advertisements on various cybercrime forums\r\nannouncing that it was seeking to recruit partners and claiming that it combined the features of notorious groups\r\nlike REvil and DarkSide.\r\nNamed BlackMatter, the gang said it was specifically interested in targeting large companies with annual revenues\r\nof more than $100 million. However, the group said some industries were off limits: It would not extort\r\nhealthcare, critical infrastructure, oil and gas, defense, non-profit, and government organizations.\r\nA representative from the group talked to Recorded Future expert threat intelligence analyst Dmitry Smilyanets\r\nrecently about how BlackMatter is learning from the mistakes of other ransomware groups, what they look for\r\nwhen they recruit partners, and why they avoid certain targets. The interview was conducted in Russian and\r\ntranslated to English with the help of a professional translator, and has been edited for clarity.\r\nDmitry Smilyanets: Your product appeared quite recently and as far as we know, there have been no public\r\nattacks using BlackMatter yet. How long ago did you start developing it?\r\nBlackMatter: There haven't been any attacks yet if you are judging by the public blog. In fact, there have been,\r\nand the companies we attacked are already communicating with us. As long as the negotiations are successful we\r\ndo not publish a blog post on the main page of the blog.\r\nThe product has been in development for the last six months. Perhaps it seems simple (judging by the blog or the\r\ncommunication page), but it is not—what users see publicly is the tip of the iceberg.\r\nBefore starting the project, we studied the following products in detail:\r\nLockBit has a good codebase, but a skimpy and non-functional panel (at the time we used their product). If\r\nyou compare it to a car, you can say that this is a Japanese car production line with good engines but an\r\nempty and non-functional interior. You can ride one, but with little pleasure.\r\nREvil is a good project on the whole, time-tested software (since GandCrab, they haven't made any\r\nsignificant edits since that time), a fairly functional panel, but focused more on the overall number of\r\nsuccessful \"loads\" as opposed to specific targeted cryptography.\r\nDarkside is a relatively new software with a good codebase (partly problematic, but the ideas themselves\r\ndeserve notice) and an interesting web part compared to other RaaS.\r\nThe executable itself has incorporated the ideas of LockBit, REvil, and partly DarkSide. The web part has\r\nincorporated the technical approach of DarkSide since we consider it the most structurally correct (separate\r\ncompanies for each target, and so on).\r\nhttps://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/\r\nPage 1 of 6\n\nImage: The Record\r\nDS: How difficult is it to organize an affiliate program (also known as ransomware-as-a-service)?\r\nBM: On the whole, less difficult than not. The level is important, RaaS can also be offline (when builds are issued\r\nvia jabber/tox), but there is no market demand for this and current customers, after using REvil and DarkSide, are\r\nnot ready to take such affiliate programs seriously. We created a project and brought it to the market exactly at a\r\ntime when the niche is vacant and the project fully meets the market demands, therefore its success is inevitable.\r\nDS: Most recently, the largest groups—DarkSide, REvil, Avaddon, BABUK—have disappeared from the\r\nscene. Many researchers believe that this was due to the attention of the top leadership of the United States\r\nand Russia to the situation with ransomware attacks. Is it true? Do you think your product will have the\r\nsame fate?\r\nBM: Yes, we believe that to a large extent their exit from the market was associated with the geopolitical situation\r\non the world stage. First of all, this is the fear of the United States and its planning of offensive cyber operations,\r\nas well as a bilateral working group on cyber extortion. We are monitoring the political situation, as well as\r\nreceiving information from other sources. When designing our infrastructure, we took into account all these\r\nfactors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long?\r\nTime will tell. For now, we are focusing on long-term work. We also moderate the targets and will not allow our\r\nproject to be used to encrypt critical infrastructure, which will attract unwanted attention to us.\r\nDS: You mentioned that your product brings together the very best of DarkSide, REvil, and LockBit. What\r\nare their strengths?\r\nhttps://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/\r\nPage 2 of 6\n\nBM: Our project has incorporated the strengths of each of the partner programs:\r\nFrom REvil—SafeMode, their implementation was weak and not well thought out, we developed the idea\r\nand thoroughly implemented it. We also implemented the PowerShell version of the ransomware variant\r\ngiven the REvil implementation.\r\nFrom LockBit—an approach to the implementation of the codebase, we took some things from there,\r\nmostly little things.\r\nFrom DarkSide—first of all, this is the idea of impersonation (the ability of the encryptor to use the domain\r\nadministrator account to encrypt the shared drives with maximum rights), we also borrowed the structure\r\nof the admin panel from there.\r\nDS: Based on the latest reports published this week, BlackMatter is visually very similar to DarkSide. Can\r\nyou confirm that your infrastructure is based on DarkSide?\r\nBM: We can confidently say that we are fans of dark mode in design, we are familiar with the DarkSide team\r\nfrom working together in the past but we are not them, although we are intimate with their ideas.\r\nDS: LockBit 2.0 is considered the fastest locker at the moment. What is the encryption/decryption speed of\r\nyour variant?\r\nBM: This is not true. After reading the question - we decided to prepare ourselves by downloading the latest\r\npublicly available version of LockBit (end 06.21) and conducting tests, we can state the following:\r\nBlackMatter: 2.22\r\nLockBit: 02.59\r\nThe tests were carried out under the same conditions. Moreover, LockBit encrypts the first 256 kb of the file\r\n(which is pretty bad from the point of view of cryptographic strength). We, on the other hand, encrypt 1 MB.\r\nEssentially, that's the secret to their speed.\r\nDS: Are you planning to add new features to the product, following the example of StealBit?\r\nBM: Yes, the software is constantly being improved, in terms of the new functions that will appear in the near\r\nfuture—printing the text of the note on all available printers. We also watch our competitors and always\r\nimplement what we consider promising and in demand by our clients.\r\nDS: I have already seen several recruiting announcements for your team. How many penetration testers\r\nwould you like to recruit? Is it easier to work with a small but strong team, or with an army of script\r\nkiddies?\r\nBM: We are geared at strong, self-sufficient teams with experience, their own technical solutions, and a real desire\r\nto make money, not someone who wants to try the business out. We usually filter out script kiddies before they get\r\naccess to our admin panel.\r\nDS: Obviously, there are many talented professionals on your team. Why is it that this talent is aimed at\r\ndestructive activities? Have you tried legal penetration testing?\r\nhttps://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/\r\nPage 3 of 6\n\nBM: We do not deny that business is destructive, but if we look deeper—as a result of these problems new\r\ntechnologies are developed and created. If everything was good everywhere there would be no room for new\r\ndevelopment.\r\nThere is one life and we take everything from it, our business does not harm individuals and is aimed only at\r\ncompanies, and the company always has the ability to pay funds and restore all its data. \r\nWe have not been involved in legal pentesting and we believe that this could not bring the proper material reward.\r\nDS: What do you think about the attacks carried out against Colonial Pipeline’s infrastructure or JBS?\r\nDoes it make sense to attack such large networks?\r\nBM: We think that this was a key factor for the closure of REvil and DarkSide, we have forbidden that type of\r\ntargeting and we see no sense in attacking them.\r\nDS: The US Department of Justice said they were able to recover some of the bitcoins paid by Colonial.\r\nHow do you think this has happened?\r\nBM: We think that the DarkSide team or their partners transferred bitcoins to web wallets, which led to the seizure\r\nof private keys.\r\nImage: The Record\r\nhttps://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/\r\nPage 4 of 6\n\nDS: You are actively buying access to the networks and declare that you are NOT interested in government\r\nand medical institutions. At the same time, you stated that you will not encrypt a wider range of industries,\r\nincluding critical infrastructure, defense, non-profit, and oil. Who has the last word to encrypt the network\r\nor not?\r\nBM: The last word is ours. We check each target and decide if it has potential negative consequences for us. The\r\ndiscrepancy between the industries in the blog and on the forum is related to marketing. In personal\r\ncorrespondence we filter out those which we are not interested in.\r\nDS: What type of primary network access is the easiest in 2021 in your opinion?\r\nBM: We do not work with VPN and other time-consuming types of initial access but are focused on getting direct\r\naccess to the network immediately.\r\nDS: What carries more effect motivating the company to pay: The infrastructure being unavailable, or the\r\nfear of a data leak?\r\nBM: It varies from company to company. For some it is important to maintain confidentiality, and for others it’s\r\nrestoring infrastructure. If the network is completely encrypted and there is also a risk of data being published, the\r\ncompany will most likely pay.\r\nDS: Unknown spoke about a special outlook towards insurance companies. Do you think that if insurance\r\ncompanies abruptly stop covering ransomware incidents it will change your interest in ransomware?\r\nBM: It will not change, the companies will continue to pay money regardless. It is possible that the amount being\r\npaid will decrease. \r\nNow the insurance fees have increased, but fearing that they will be left alone in the situation everyone will\r\ncontinue buying the insurance.\r\nDS: What's happened with Unknown? There are a lot of rumors, can you clarify the situation?\r\nBM: We do not know. Most likely, after the last payment, he went on vacation or is preparing a rebranding of their\r\nproject.\r\nDS: Tell me a secret.\r\nBM: There are no secrets, but we believe in our motherland, we love our families, and we earn money for our\r\nchildren.\r\nhttps://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/\r\nPage 5 of 6\n\nDmitry Smilyanets\r\nMission-driven and Russian-speaking intelligence analyst with type A personality. Dmitry has twenty years of\r\nexperience and expertise in cybercrime activity that includes being a former member of an elite Russian-based\r\nhacking organization.\r\nSource: https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-rev\r\nil/\r\nhttps://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/"
	],
	"report_names": [
		"an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil"
	],
	"threat_actors": [],
	"ts_created_at": 1775434587,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bfac1a23c7366a29f815edf0a494dd9a124d9123.pdf",
		"text": "https://archive.orkl.eu/bfac1a23c7366a29f815edf0a494dd9a124d9123.txt",
		"img": "https://archive.orkl.eu/bfac1a23c7366a29f815edf0a494dd9a124d9123.jpg"
	}
}