BlackMatter Group Debuts Linux-Targeting RansomwareVMware ESXi Servers Targeted by Crypto-Locking Malware, MalwareHunterTeam Warns
The new BlackMatter Russian-speaking ransomware-as-a-service group, which announced its launch last month, has created a Linux version of its malware designed to target VMware's ESXi servers hosting virtual machines, according to the security research group known as MalwareHunterTeam.
Someone using the handle "BlackMatter" first posted to both the XSS and Exploit Russian-language cybercrime forums on July 19, stating that the group wanted to recruit affiliates, says threat intelligence firm Flashpoint.
The BlackMatter operation further stated that it has incorporated the "best" features of DarkSide, REvil and LockBit malware, according to threat intelligence firm Recorded Future (see: BlackMatter Ransomware Claims to Be Best of REvil, DarkSide).
The reference to those groups - both DarkSide and REvil, aka Sodinokibi - led some ransomware watchers to wonder if BlackMatter might be a spinoff. DarkSide, notably, announced on May 13 that it was shutting down after its attack on Colonial Pipeline Co., which led to a run on gasoline and a temporary shutdown of Colonial’s pipeline serving much of the U.S. East Coast, sparking a furious response from the White House, leveled in part at the Russian government, over its failure to crack down on domestic cybercriminals (see: DarkSide Ransomware Gang Says It Has Shut Down).
Many ransomware watchers had expected DarkSide and REvil to soon crop up under different names.
Sure enough, multiple experts say BlackMatter appears to be a spinoff from DarkSide, based, in part, on the code being used by both operations being so similar.
Ransomware hunter Fabian Wosar, CTO of cybersecurity firm Emsisoft, has said that "after looking into a leaked BlackMatter decryptor binary I am convinced that we are dealing with a DarkSide rebrand here." Likewise, in a technical teardown of BlackMatter's code published Thursday, Dutch cybersecurity firm Tesorion noted that "the code similarities we found support this suggestion."
In another development pointing to BlackMatter being a direct successor to DarkSide, on Wednesday, MalwareHunterTeam discovered a BlackMatter Linux ELF64 encryptor, which it says has similarities with the DarkSide ransomware.
DarkSide had a similar Linux version of its ransomware before announcing its shutdown, AT&T’s Alien Labs said in a research report. AT&T researchers say DarkSide had completed a Linux version of its malware specifically designed to target ESXi servers hosting VMware virtual machines (see: DarkSide Created a Linux Version of Its Ransomware).
MalwareHunterTeam says BlackMatter's Linux ransomware can run ESXi shell commands, including esxcli commands, which the malware uses to shut down virtual machines so that they can be forcibly encrypted and held to ransom.