{
	"id": "1da75aec-ce15-42dd-bc63-a2b569e0d783",
	"created_at": "2026-04-06T00:11:37.611604Z",
	"updated_at": "2026-04-10T03:21:03.689219Z",
	"deleted_at": null,
	"sha1_hash": "e49fadbb455f886963d96d1e01c8e4bf0ffd7be7",
	"title": "BlackMatter ransomware gang rises from the ashes of DarkSide, REvil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2143944,
	"plain_text": "BlackMatter ransomware gang rises from the ashes of DarkSide, REvil\r\nBy Lawrence Abrams\r\nPublished: 2021-07-31 · Archived: 2026-04-05 13:21:07 UTC\r\nA new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best\r\nfeatures from the notorious and now-defunct REvil and DarkSide operations.\r\nLast week, both Recorded Future and security researcher pancak3 shared that a new threat actor named 'BlackMatter' had\r\nposted to hacking forums where they want to purchase access to corporate networks.\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 1 of 7\n\nForum post by BlackMatter to the Exploit forum\r\nIn the post, the threat actor stated that they want to buy access to networks in the USA, Canada, Australia, and Great Britain,\r\nexcept for networks associated with medical and government entities.\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 2 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 3 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nThey further shared that they were willing to spend $3,000 to $100,000 per network that had the following criteria:\r\nRevenue of $100 million or more.\r\nThe network should contain 500-15,000 devices.\r\nIt should be a new network that other threat actors have not already targeted.\r\nTo show that they were serious, the threat actor deposited four bitcoins ($120,000) in the Exile hacking forum's\r\ncryptocurrency wallet to show that they mean business and were a serious player.\r\nAs forums promoting ransomware are now banned on the XSS and Exploit forums, the threat actor did not indicate how\r\nthey would use the network access.\r\nBlackMatter ransomware gang emerges\r\nThat same day, researchers from Recorded Future revealed that a new Tor data leak site for a 'BlackMatter' ransomware\r\noperation appeared on the dark web last week.\r\nThe name indicates that the BlackMatter threat actor is the public-facing representative for the ransomware operation under\r\nthe same name.\r\nNew BlackMatter data leak site\r\nIn addition to posting information about themselves their operation, BlackMatter states that they will not target entities in the\r\nfollowing industries:\r\nHospitals.\r\nCritical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 4 of 7\n\nOil and gas industry (pipelines, oil refineries).\r\nDefense industry.\r\nNon-profit companies.\r\nGovernment sector.\r\nRecorded Future says the gang's ransomware executables come in various formats so that they can encrypt different\r\noperating systems and device architecture.\r\n\"The ransomware is provided for several different operating systems versions and architectures and is deliverable in a\r\nvariety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux\r\nvariant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS),\" reported Recorded Future.\r\n\"According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64\r\nand Windows 7+ x64 / x86. The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and\r\nCentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN.\"\r\nAt this time, there are no victims listed on the site. However, the ransomware gang states that \"all blogs hidden for now. For\r\na very short time,\" indicating that they are actively attacking victims.\r\nBleepingComputer has been able to confirm that there are active attacks underway and that at least one victim paid $4\r\nmillion to the threat actors this week.\r\nBlackMatter Tor negotiation site\r\nSource: BleepingComputer\r\nBased on the negotiation chat, this is a veteran ransomware operation and most likely a rebrand of one of the larger and\r\nnow-defunct groups that recently shut down.\r\nRising from the ashes of DarkSide and REvil?\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 5 of 7\n\nInformation discovered by security researchers as well as the similarities in web sites and partners may indicate that\r\nBlackMatter has recruited or was created by threat actors that were previously with the DarkSide and the REvil ransomware\r\noperations.\r\nAs ransomware gangs commonly rebrand to evade law enforcement, when we first reported on DarkSide in August 2020,\r\nsome security researchers and law enforcement believed REvil was rebranding as the new DarkSide operation.\r\nHowever, both gangs continued operating side-by-side for almost a year until DarkSide attacked Colonial Pipeline. Feeling\r\nthe full pressure of the US government and law enforcement, DarkSide shut down its operation in May.\r\nThe shut down of DarkSide was first reported by REvil's public-facing representative, Unknown, who posted about it on a\r\nhacking forum.\r\nForum post by UKNK about DarkSide seizure\r\nTwo months later, it was REvil's turn to shut down after conducting a massive attack on managed service\r\nproviders worldwide through a zero-day Kaseya VSA vulnerability.\r\nLike DarkSide, REvil was feeling massive pressure from the US government and international law enforcement. It is widely\r\nspeculated that the Russian government told them to shut down and disappear for a while.\r\nAfter seeing the BlackMatter Tor site, security researchers found that it showed a strong resemblance to the now-defunct\r\nDarkSide ransomware's Tor site.\r\nBoth pages share a similar color theme, similar language, a similar way of referring to themselves, and also included a list of\r\ntargets they would not attack.\r\nRecorded Future also reported that BlackMatter said, \"The project has incorporated in itself the best features of DarkSide,\r\nREvil, and LockBit.\"\r\nFinally, cybersecurity firm Mandiant has seen indicators suggesting that an actor previously connected to DarkSide is now\r\npartnering with BlackMatter.\r\n\"We have seen some indication that currently suggests that at least one actor connected to some DARKSIDE ransomware\r\noperations is aligning themselves with BLACKMATTER,\" Kimberly Goody, Mandiant Director of Financial Crime\r\nAnalysis, told BleepingComputer.\r\n\"This isn’t necessarily surprising as we commonly see ransomware affiliates partnering with multiple providers.\"\r\nWhile many clues indicate that this may be a rebrand of DarkSide, or possibly created by actors from both groups, we will\r\nnot know for sure until a sample of the ransomware is analyzed for code similarities.\r\nAs BlackMatter attacks are ongoing, researchers will likely find a sample soon.\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 6 of 7\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/"
	],
	"report_names": [
		"blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil"
	],
	"threat_actors": [],
	"ts_created_at": 1775434297,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e49fadbb455f886963d96d1e01c8e4bf0ffd7be7.pdf",
		"text": "https://archive.orkl.eu/e49fadbb455f886963d96d1e01c8e4bf0ffd7be7.txt",
		"img": "https://archive.orkl.eu/e49fadbb455f886963d96d1e01c8e4bf0ffd7be7.jpg"
	}
}