A recent ransom wallpaper set by LockBit contains an advertisement to recruit an initial access broker, possibly a corporate insider, to help them breach and encrypt networks for million-dollar payouts:įigure: Lockbit 2.0 resetting the desktop wallpaper to a ransom notice with a recruitment ad Also, like DarkSide, this is stored in the same folder on disk (C:\ProgramData), with an identical file size (2,818,366 bytes), image format (.BMP) and image size (1706 x 826 pixels, 16-bit color depth.)įigure: BlackMatter resetting the desktop wallpaper to a ransom noticeįigure: DarkSide resetting the desktop wallpaper to a ransom notice Initial access brokersĪlthough DarkSide (and REvil) seem to have disappeared from the RaaS scene, we have detected an increase in LockBit 2.0 ransomware attacks. When victims are hit with the BlackMatter ransomware and the files on the drives are encrypted, BlackMatter sets a wallpaper that is very similar to DarkSide’s. To better understand the potential relationships between the ransomware groups, SophosLabs has analyzed a BlackMatter ransomware sample, and uncovered a number of technical similarities with DarkSide and the other ransomware families that are worth noting.īelow is a short comparison of some of the capabilities seen in the various groups: They also say that while they are closely acquainted with the Darkside operators, they are not the same people. The operators behind BlackMatter claim that their ransomware incorporates the best features of DarkSide, REvil, and LockBit 2.0 ransomware. The list of sectors and entities this threat actor says it will not attack reflect the recent global incidents involving DarkSide (Colonial Pipeline) and REvil (Kaseya) ransomware, which drew widespread and probably unwelcome attention. The operators behind the BlackMatter RaaS have established a presence on the dark web: The Sophos research is based on a sample of the BlackMatter ransomware, with the SHA-256 hash: 22D7D67C3AF10B1A37F277EBABE2D1EB4FD25AFBD6437D4377400E148BCC08D6. Note: A Ransomware-as-a-Service (RaaS) comprises a core group of developers who maintain the ransomware and payment sites as well as recruited affiliates or “customers” who rent the ransomware, breach victims’ networks and encrypt devices. SophosLabs decided to take a closer look at the malware and the claims being made by the new adversary to see what’s really going on. Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. In late July, a new RaaS appeared on the scene. DarkSide was followed into apparent retirement by another ransomware service, REvil, the threat actor behind the attack on Kaseya. A week later, DarkSide announced it was shutting down its operations after its servers were allegedly seized and its cryptocurrency wallets drained. The attack led to widespread supply disruption, global headlines, and intense scrutiny by the national authorities. On Friday May 7, 2021, an affiliate of the DarkSide Ransomware-as-a-Service (RaaS) hit Colonial Pipeline, a major U.S.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |