Following the ransomware attacks on critical infrastructure in the United States, several ransomware-as-a-service operations went quiet. The attacks attracted a lot of heat for ransomware gangs and several groups responded by either implementing new restrictions on the types of entities that their affiliates could attack, shutting down entirely and releasing the keys to allow victims to recover, or simply disappeared from the Internet.
Following the attack on Colonial Pipeline in May 2021 by a DarkSide ransomware affiliate, the DarkSide ransomware gang disappeared from the Internet. The REvil ransomware gang that had been so prolific also went quiet. The gang was behind the attack on JBS Foods which caused the temporary shutdown of two meat processing plants in the United States, and most recently, attacked Kaseya and up to 60 of its customers – mostly MSPs – and 1,500 downstream businesses. Shortly after that attack, its web presence disappeared and the gang went deathly silent.
Then there was Avaddon, another prolific operation. After the DarkSide attack on Colonial Pipeline, the Avaddon and REvil operators announced that they would be preventing their affiliates from conducting attacks on critical infrastructure, healthcare, and others. Avaddon later released the keys to allow 2,934 victims to recover and appeared to have walked away from ransomware attacks. Popular hacking forums took the decision to distance themselves from ransomware, even going as far as banning ransomware actors from posting on their forums.
Following the critical infrastructure attacks, the United States government has taken several steps to allow it to target ransomware gangs more effectively and has demanded Russia take action to stop ransomware gangs that are operating within Russia’s borders. The heat has certainly been turned up and RaaS operations are being scrutinized.
There has been considerable speculation about whether government agencies have succeeded in taking down some of these RaaS operations, even though none have announced that they are part of any takedown. That is not to say that there was no law enforcement or government action, only that if there was it has all been done on the quiet.
While it would be nice to think that these shutdowns were permanent and ransomware attacks would be slowing, that is unlikely. It is natural for RaaS operators to lie low for a while following such major attacks, especially when governments are now laser focused on tackling the ransomware problem. It is likely that these ransomware operations are just taking a break, and the operators – and certainly the affiliates that conducted attacks under the RaaS programs – will return. The return may well have already happened.
Two new ransomware-as-a-service (RaaS) groups have appeared this month – Haron and BlackMatter – that threat intelligence firms have been investigating. Several have reported this week that they have identified connections with some of the RaaS operations that have recently gone quiet – Avaddon, REvil, and DarkSide.
While no concrete evidence has been found linking the new operations with any of the RaaS operations that have recently disappeared, there are many similarities which suggest that either the Avaddon, REvil, and DarkSide RaaS operations have already rebranded, that affiliates of those operations have branched out and are going it alone, or some members of the shutdown RaaS operations are involved in Haron and BlackMatter to some degree.
Despite the forum bans on advertising RaaS operations, the BlackMatter RaaS has been advertising for affiliates on Russian speaking cybercrime forums, albeit by not stating that they are running a RaaS operation. A user named “BlackMatter” registered an account on July 19 on both the XSS and Exploit criminal forums seeking assistance: Access to the networks of U.S., UK, Australian, or Canadian networks of companies with over $100 million in annual revenues. They also stipulated that they would not be buying access to state institutions or any targets in the healthcare sector, as both REvil and Avaddon announced they would not after the colonial pipeline attack.
The BlackMatter operator also created an Escrow account – used in cases of disputes over payments – and deposited $120,000 – a not insignificant sum. The group is offering between $3K and $100K for access or a share in any ransoms generated in exchange for access. The BlackMatter operators claim their operation incorporates the best features of DarkSide, REvil, and LockBit, all three of which are believed to have operated from within Russia.
Similarities were found between BlackMatter and REvil and DarkSide by several cybersecurity firms, with Recorded Future declaring BlackMatter the successor to DarkSide and REvil, although evidence is circumstantial. For instance, BlackMatter is very similar to BlackLivesMatter, which was the name of the Windows registry used by REvil. Mandiant reports that it has found evidence which points to at least one member of the DarkSide operation being involved with Black Matter, although that individual may simply be an affiliate that has jumped ship when the operation went silent.
S2W Lab has found similarities between Haron ransomware and Avaddon, notably a largely copy and pasted ransom note, similar appearances and wording on the ransom negotiation sites, the same structures on the data leak sites, and identical sections of JavaScript code for chat. However, while the Avaddon gang developed its own ransomware, Haron is based on Thanos ransomware.
The similarities may be coincidence, or the operator may have just saved some time by stealing content and code that had already been created. There are other notable differences between the two in many areas, and no solid proof has been found that suggests Avaddon and Haron are one and the same.
Researchers are still conducting investigations into the new groups, but regardless of who is involved in the operations, their aims appear to be very similar. Both are targeting large organizations with deep pockets and if the RaaS operations that have gone quiet remain out of action, there will be any affiliates looking for a new RAAS operation to join.
These two new RaaS operations could therefore completely fill the gap left by the likes of Avaddon, REvil, and DarkSide and ransomware attacks could well continue at pre-May 2021 levels. What is certain is the ransomware threat is far from over.
