Fraud Management & Cybercrime , Governance & Risk Management , IT Risk Management

BlackMatter Group Debuts Linux-Targeting Ransomware

VMware ESXi Servers Targeted by Crypto-Locking Malware, MalwareHunterTeam Warns
BlackMatter Group Debuts Linux-Targeting Ransomware

The new BlackMatter Russian-speaking ransomware-as-a-service group, which announced its launch last month, has created a Linux version of its malware designed to target VMware's ESXi servers hosting virtual machines, according to the security research group known as MalwareHunterTeam.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Someone using the handle "BlackMatter" first posted to both the XSS and Exploit Russian-language cybercrime forums on July 19, stating that the group wanted to recruit affiliates, says threat intelligence firm Flashpoint.

The BlackMatter operation further stated that it has incorporated the "best" features of DarkSide, REvil and LockBit malware, according to threat intelligence firm Recorded Future (see: BlackMatter Ransomware Claims to Be Best of REvil, DarkSide).

The reference to those groups - both DarkSide and REvil, aka Sodinokibi - led some ransomware watchers to wonder if BlackMatter might be a spinoff. DarkSide, notably, announced on May 13 that it was shutting down after its attack on Colonial Pipeline Co., which led to a run on gasoline and a temporary shutdown of Colonial’s pipeline serving much of the U.S. East Coast, sparking a furious response from the White House, leveled in part at the Russian government, over its failure to crack down on domestic cybercriminals (see: DarkSide Ransomware Gang Says It Has Shut Down).

Many ransomware watchers had expected DarkSide and REvil to soon crop up under different names.

DarkSide Rebrand

Sure enough, multiple experts say BlackMatter appears to be a spinoff from DarkSide, based, in part, on the code being used by both operations being so similar.

Ransomware hunter Fabian Wosar, CTO of cybersecurity firm Emsisoft, has said that "after looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a DarkSide rebrand here." Likewise, in a technical teardown of BlackMatter's code published Thursday, Dutch cybersecurity firm Tesorion noted that "the code similarities we found support this suggestion."

In another development pointing to BlackMatter being a direct successor to DarkSide, on Wednesday, MalwareHunterTeam discovered a BlackMatter Linux ELF64 encryptor, which it says has similarities with the DarkSide ransomware.

DarkSide had a similar Linux version of its ransomware before announcing its shutdown, AT&T’s Alien Labs said in a research report. AT&T researchers say DarkSide had completed a Linux version of its malware specifically designed to target ESXi servers hosting VMware virtual machines (see: DarkSide Created a Linux Version of Its Ransomware).

MalwareHunterTeam says BlackMatter's Linux ransomware can run ESXi shell commands, including esxcli commands, which the malware uses to shut down virtual machines so that they can be forcibly encrypted and held to ransom.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.