Blackmatter

Threat Actor updated 2 months ago (2024-07-17T16:17:42.125Z)
Download STIX
Preview STIX
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention from US law enforcement agencies. This scrutiny resulted in DarkSide losing control of its infrastructure, prompting a rebranding effort as BlackMatter. However, continued pressure from authorities led to the group announcing its shutdown in November 2021, only four months after its emergence as BlackMatter. Despite the cessation of BlackMatter's operations, the developers did not abandon their interest in ransomware. They transferred the remainder of their victims' data to LockBit, a separate entity tasked with continuing existing extortion demands. This transition coincided with the emergence of LockBit 3.0, also known as LockBit Black, a new strain of ransomware that shares similarities with both BlackMatter and Alphv (also known as BlackCat) ransomware. Researchers at Trend Micro noted that parts of LockBit 3.0's code appear to be borrowed from BlackMatter ransomware, further solidifying the connection between these threat actors. The evolution of these threat actors demonstrates an ongoing cycle of rebranding and adaptation in response to law enforcement actions. After the shutdown of BlackMatter, the group re-emerged under yet another name, Alphv/BlackCat, indicating the persistence of these threat actors despite increased scrutiny. There are suspicions that this new group may have ties to former REvil members and has been using the Emotet botnet to distribute ransomware. The constant morphing and resilience of these groups underscore the importance of continuous vigilance and adaptable strategies in combating cyber threats.
Description last updated: 2024-07-17T15:17:34.707Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
DarkSide
9
DarkSide is a threat actor known for its malicious activities, particularly in the realm of ransomware. This group was notably responsible for the major attack on the U.S. energy sector that targeted Colonial Pipeline Co. on May 7, 2021, using a ransomware-as-a-service operation. The DarkSide ransom
Alphv
8
Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op
Lockbit Black
5
LockBit Black, also known as LockBit 3.0, is a sophisticated malware variant that emerged in early 2022. This malicious software encrypts files and disrupts operations on infected devices, often demanding a ransom for the restoration of data. Developed as an iteration of LockBit 2.0 (LockBit Red) re
Trigona
2
Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope
Hunters International
2
Hunters International, a threat actor group allegedly linked to Russia, has emerged as a significant cybersecurity concern. The group, which has been active since October of the previous year, is known for executing malicious actions with intent to cause harm and gain financially. They have recently
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Cybercrime
RaaS
Extortion
Source
Linux
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
Lockbitis related to
9
LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
REvilUnspecified
7
REvil is a type of malware, specifically ransomware, that has been linked to significant cyber attacks. It emerged as part of the Ransomware as a Service (RaaS) model that gained popularity in 2020. This model established relationships between first-stage malware and subsequent ransomware attacks, s
ContiUnspecified
4
Conti is a notorious malware and ransomware operation that has caused significant damage to computer systems worldwide. The Conti group, believed to have around 200 employees, operated like a regular business, with internal communications revealing the organization's structure and operations. It was
HiveUnspecified
4
Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated
ClopUnspecified
2
Clop, also known as Cl0p, is a notorious ransomware group responsible for several high-profile cyberattacks. The group specializes in exploiting vulnerabilities in software and systems to gain unauthorized access, exfiltrate sensitive data, and then extort victims by threatening to release the stole
Black BastaUnspecified
2
Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
RyukUnspecified
2
Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves
MazeUnspecified
2
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
AvosLockerUnspecified
2
AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
FIN7Unspecified
3
FIN7, a prominent threat actor in the cybercrime landscape, has been noted for its malicious activities and innovative tactics. Known for their relentless attacks on large corporations, FIN7 recently targeted a significant U.S. carmaker with phishing attacks, demonstrating their continued evolution
Bl00dyUnspecified
2
Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i
Sangria TempestUnspecified
2
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
LockBitSuppUnspecified
2
LockBitSupp, also known as Dmitry Yuryevich Khoroshev, is a threat actor who has been identified as the creator and operator of one of the most prolific ransomware variants known as LockBit. Based in Voronezh, Russia, Khoroshev allegedly began developing LockBit as early as September 2019 and contin
Source Document References
Information about the Blackmatter Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes
BankInfoSecurity
2 months ago
Millions Affected by Prudential Ransomware Hack in February
CERT-EU
6 months ago
Ransomware's appetite for US healthcare sees known attacks double in a year | Malwarebytes
CERT-EU
6 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
BankInfoSecurity
6 months ago
Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU
6 months ago
The Great BlackCat Ransomware Heist
CERT-EU
6 months ago
Ransomware group behind Change Healthcare attack goes dark
CERT-EU
6 months ago
BlackCat ransomware turns off servers amid claim they stole $22 million ransom
CERT-EU
6 months ago
Healthcare in Crosshairs: ALPHV/Blackcat Ransomware Threat Escalates, FBI Issues Warning
CERT-EU
6 months ago
No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
6 months ago
FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
CERT-EU
6 months ago
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
BankInfoSecurity
6 months ago
No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp
BankInfoSecurity
6 months ago
Who is LockBitSupp? Police Delay Promise to Reveal Identity
InfoSecurity-magazine
7 months ago
LockBit Infrastructure Disrupted by Global Law Enforcers
DARKReading
7 months ago
Kasseika Ransomware Linked to BlackMatter in BYOVD Attack
CERT-EU
8 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
8 months ago
Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
DARKReading
8 months ago
Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web
CERT-EU
8 months ago
Microsoft disables MSIX protocol handler abused in malware attacks