New Hacking Group Shows Similarities to Gang That Attacked Colonial Pipeline

Blockchain analytics agency Chainalysis Inc. Tuesday stated DarkSide and BlackMatter have the same monetary infrastructure used for processing ransom funds. Different consultants have seen similarities of their ransomware strains and the keys they use to unlock information.

Cybersecurity consultants say the potential rebranding of the hacking group illustrates the methods ransomware gangs could attempt to outmaneuver a crackdown by regulation enforcement.

“Primarily, there are huge overlaps in how BlackMatter and DarkSide encrypt information,” stated Fabian Wosar, chief know-how officer for cybersecurity firm Emsisoft Ltd., who analyzed the instruments the 2 teams used to decrypt information and believes DarkSide has rebranded as BlackMatter. The 2 teams’ encryption processes, he stated, seem like “compiled from the identical supply code.”

Chainalysis, which analyzes transactions between cryptocurrency wallets, stated people linked to the 2 teams additionally shared addresses the place they settle for ransom funds and maintain funds.

“DarkSide and BlackMatter actors had been utilizing overlapping cryptocurrency wallets,” stated Gurvais Grigg, the agency’s international public sector chief know-how officer. Mr. Grigg stated BlackMatter-linked wallets have already got obtained obvious ransomware funds however declined to say what number of.

BlackMatter’s on-line portal for associates and ransomware pressure are visually much like these of DarkSide, stated Kimberly Goody, director of monetary crime evaluation at Mandiant Risk Intelligence, a part of cybersecurity enterprise

FireEye Inc.

However the parallels don’t show BlackMatter’s leaders are the identical people as these of DarkSide, she stated, including that core builders behind one group usually rent specialists, who acquire entry to companies or deploy malware, and who could have labored with different teams.

A person claiming to be a member of BlackMatter stated Monday in an interview with cyber analysis agency Recorded Future that the brand new group wasn’t linked to DarkSide.

Though the newly shaped group drew classes from hacking teams similar to REvil and DarkSide, the individual stated, it was tweaking its strategy to keep away from counterattacks by U.S. authorities. The person stated that BlackMatter wouldn’t have interaction in assaults on essential infrastructure similar to Colonial Pipeline. “We have now forbidden that sort of concentrating on and we see no sense in attacking them,’ the person stated.

Allan Liska, a senior options architect at Recorded Future, stated he doesn’t belief something ransomware operators say.

Anne Neuberger,

White Home deputy nationwide safety adviser for cyber and rising applied sciences, stated she noticed the feedback attributed to BlackMatter as an indication of progress within the Biden administration’s efforts to strain the Russian authorities to crack down on Russian hackers concentrating on essential infrastructure.

“We predict we’re seeing a dedication, and we’ll look to see the actions that observe up on that dedication,” Ms. Neuberger stated, talking Wednesday on the Aspen Safety Discussion board.

The U.S. response to a string of high-profile hacks in latest months has contributed to turnover amongst ransomware teams, stated

Adam Meyers,

vice chairman of intelligence at cyber agency

CrowdStrike Inc.,

which analyzed BlackMatter’s ransomware.

However the disruptions haven’t led to a lower in threats, he stated. “In the end I feel these teams can transfer sooner than forms can,” he stated.

Write to David Uberti at david.uberti@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com