{ "id": "bb495fd5-f6bc-42af-a24a-d082580d57a2", "created_at": "2026-04-06T01:30:09.978Z", "updated_at": "2026-04-10T13:11:40.701488Z", "deleted_at": null, "sha1_hash": "ef4843baadd7239871977796ad5a0fb0fb577f62", "title": "Chatter Indicates BlackMatter as REvil Successor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 230541, "plain_text": "Chatter Indicates BlackMatter as REvil Successor\r\nBy Flashpoint\r\nPublished: 2021-07-27 · Archived: 2026-04-06 01:26:36 UTC\r\nBlackMatter Registration\r\nOn July 19, 2021, a threat actor operating under the alias “BlackMatter” registered an account on the high-tier\r\nRussian-language illicit forums XSS and Exploit. The actor deposited 4 BTC (approximately $150,000 USD) into\r\ntheir escrow account. Large deposits on the forum indicate the seriousness of the threat actor. On July 21, the\r\nthreat actor posted a notice on the forums, stating they are looking to purchase access to infected corporate\r\nnetworks in the US, Canada, Australia, and the UK, presumably for ransomware operations. The threat actor said\r\nthey are looking for larger corporate networks with revenues of over US $100 million. \r\nWhile the inclusion of Five Eyes countries is notable, it is likely more financially-motivated than strategic. US,\r\nCanada, Australia, and the UK are ranked among the top 10 most-targeted countries for publicly-reported\r\nincidents on ransomware blogs and, further, the April 2021 paper from the Institute for Security and Technology\r\nRansomware Task Force highlighted that White House and DNI would coordinate with Five Eyes on a number of\r\naction items for combating ransomware.1  Recent reports highlight intelligence sharing with partner countries on\r\nsuspicious cryptocurrency transactions in foreign exchanges.2\r\nRe-emergence?  \r\nThe timing of the post is interesting in that it occurred two months after XSS, Exploit, and Raid Forums banished\r\nthe DarkSide ransomware group, and forbade the discussion and solicitation of ransomware with the forums.\r\nDarkSide ransomware group was responsible for extorting Colonial Pipeline, resulting in a disruption in one of the\r\nlargest oil pipelines in the United States. Shortly after the incident, DarkSide’s blog was offline and the Justice\r\nDepartment claimed that they recovered $2.3 million from Colonial’s ransomware payment.3 “UNKN” (aka\r\n“Unknown”) a representative of REvil, relayed DarkSide’s shutdown through a forum post. \r\n1https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf\r\n2\r\n https://edition.cnn.com/2021/07/06/politics/white-house-ransomware-strategy/index.html\r\n3https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside\r\nOn July 13, 2021, REvil abruptly shut down their ransomware blog. On the same day, XSS banned REvil’s\r\nspokesperson UNKN. The shutdown followed REvil’s high-profile ransomware attack against the technology\r\nprovider, Kaseya.\r\nBlackMatter does not openly state that they are a ransomware collective operator, which technically doesn’t break\r\nthe rules of the forums, though the language of their post, as well as their goals clearly indicate that they are a\r\nhttps://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/\r\nPage 1 of 4\n\nransomware collective operator.\r\nRe-branding?\r\nThe emergence of a new group following the closure of DarkSide and REvil leaves threat actors questioning their\r\norigins, and if this is a possible rebranding. Both BlackMatter and UNKN appear to have similar rules around\r\ntargeting. For example, both BlackMatter and UNKN explicitly say they will not target medical and government\r\ninstitutions. Regarding tactics, both groups use the same public corporate databases to research possible victims.\r\nFurthermore, Flashpoint analysts note that REvil previously labeled their Windows Registry key\r\n“BlackLivesMatter.” \r\nWhile the information may not be a smoking gun, it may indicate that REvil has not gone totally offline, but\r\nmerely took a small hiatus following some high-profile breaches. It is also important to note that two posts and a\r\nlarge escrow account do not make a ransomware group. It is possible that copycats are intentionally mimicking the\r\nbehavior of REvil to gain immediate credibility for allegedly being the reincarnation of REvil. \r\nRan Somewhere? No, Still Here\r\nWhile recent bans on forums made it significantly harder for ransomware collectives to recruit partners,\r\nnevertheless ransomware collectives are finding new creative avenues to attract threat actors, who would be\r\ninterested in working with them.\r\nFor instance, on July 22, 2021, Flashpoint observed an advertisement of the partner program of the AvosLocker\r\nRansomware collective. The advertisement was distributed on Jabber via a service called “HQ Advert Services,”\r\nwhich specializes in mass spam campaigns via Jabber and Telegram. HQ Advert and other similar services\r\nmaintain a list of Jabber and Telegram handles and are able to distribute the advertisements of interest for a fee.\r\nPrior to that, ransomware actors have also maintained communications on a number of other platforms. Some,\r\nsuch as Black Shadow, maintain Telegram accounts, others, such as LockBit 2.0, run ransomware-as-a-service\r\n(RaaS) recruitment on their forums, and still others have moved to new forums for RaaS recruitment such as\r\nBabuk’s RAMP forum.\r\nAt this time, we can only assess the possible origins and intentions of BlackMatter. Their presence on XSS and\r\nExploit highlights the increasing importance of those forums in ransomware recruitment, despite the apparent bans\r\nin May 2021. \r\nRe-recruitment\r\nOn July 27, the group began recruiting potential partners and affiliates via IM protocol, Jabber. Notably, the group\r\nis using Exploit’s Jabber server to send out their recruitment message, again showing ransomware groups utilizing\r\nExploit’s infrastructure to forward their nefarious agenda despite an alleged ban.\r\nIn the advertisement, BlackMatter announced they were looking for experienced penetration testers who work\r\nwith Windows and Linux systems and initial access suppliers, who would either sell their access or work for a\r\nhttps://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/\r\nPage 2 of 4\n\npercentage of the profits. The group listed their Jabber handle and Tox ID, and asked interested parties to contact\r\nthem.\r\nRemodel? Who Wore it Best?\r\nFlashpoint analysts also discovered a leaks site on an onion domain run by the group, in which BlackMatter\r\nexpands its rules on targeting to include restrictions on targeting the oil and gas sector and the defense and CI\r\nsector. The leaks site currently does not list any victims. \r\nAfter the discovery of the site, rumors again abounded claiming that BlackMatter is a rebranding of the group\r\nDarkSide, which went offline after losing control of their infrastructure in May 2021. These rumors are based on\r\nthe design of the BlackMatter leaks site, which is similar to the now-defunct DarkSide leaks site, and by the fact\r\nthat BlackMatter explicitly stated they would not target the oil and gas industry — a nod to the Colonial Pipeline\r\nbreach which proved DarkSide’s demise. At this time, there is no concrete evidence connecting the two and \r\nWhen DarkSide went offline and their alias “darksupp” was banned from the Russian-language illicit forum XSS,\r\nthe administrators seized the group’s sizable deposit of 23 BTC (approximately US $911,000) and distributed it\r\namong former DarkSide partners. This is notable because such a move might have discouraged any former\r\nmembers of DarkSide to make substantial deposits on illicit forums, as BlackMatter did when making a BTC 4\r\ndeposit on Exploit.\r\nhttps://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/\r\nPage 3 of 4\n\nImage 1: Screenshot of the BlackMatter leaks site, which bares a resemblance to DarkSide’s now-defunct leaks site.\r\nTrack Ransomware Activity With Flashpoint\r\nThe data above was discovered directly through analyst research in the Flashpoint platform. Sign up for a free\r\ntrial, and see firsthand how Flashpoint can help you and your organization access the most critical information\r\naffecting your industry and the security community.\r\nSource: https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/\r\nhttps://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/" ], "report_names": [ "chatter-indicates-blackmatter-as-revil-successor" ], "threat_actors": [ { "id": "4023e661-f566-4b5b-a06f-9d370403f074", "created_at": "2024-02-02T02:00:04.064685Z", "updated_at": "2026-04-10T02:00:03.547155Z", "deleted_at": null, "main_name": "Pink Sandstorm", "aliases": [ "AMERICIUM", "BlackShadow", "DEV-0022", "Agrius", "Agonizing Serpens", "UNC2428", "Black Shadow", "SPECTRAL KITTEN" ], "source_name": "MISPGALAXY:Pink Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439009, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ef4843baadd7239871977796ad5a0fb0fb577f62.pdf", "text": "https://archive.orkl.eu/ef4843baadd7239871977796ad5a0fb0fb577f62.txt", "img": "https://archive.orkl.eu/ef4843baadd7239871977796ad5a0fb0fb577f62.jpg" } }