That new gang, BlackMatter, is upfront about its origins, stating that it has "incorporated" the "best features" of DarkSide and two other kinds of ransomware, REvil and Lockbit, according to a statement from the BlackMatter group as noted by cybersecurity company Recorded Future.
DarkSide was identified by the U.S. government as the ransomware responsible for the Colonial Pipeline attack, which resulted in the shutdown of a major pipeline supplying fuel to the U.S. East Coast.
After the attack, DarkSide posted a statement saying it was ending operations.
Enter BlackMatter, which is now active on cybercrime forums.
"They’re not advertising their ransomware, however; they are recruiting affiliates…who have access to hacked enterprise networks," according to Malwarebytes. The BlackMatter ads state that it's seeking hacked access to corporate networks in Australia, Canada, the UK and the U.S.
Other requirements for corporations they target include revenue of at least $100 million and 500-15,000 hosts in the network, Recorded Future said.
Like other successful ransomware operations, BlackMatter is run as a business, dubbed Ransomware-as-a-service or RaaS, a knockoff of legitimate business models such as SaaS or software-as-a-service.
Cybersecurity news site Bleeping Computer reported attacks are happening already.
On their own site, BlackMatter says it won’t target certain industries including hospitals, critical infrastructure, the defense industry and the government sector, according to Malwarebytes.
That’s similar to past statements from DarkSide.
"Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future," the DarkSide group said back in May.
But there may be more practical reasons for this. "Almost as if to say that they are keenly aware of the danger that comes from pulling off internationally-recognized attacks," Malwarebytes said.
In June, the Department of Justice said that it had seized Bitcoin valued at approximately $2.3 million from the DarkSide gang. Those funds represented a ransom payment for the Colonial Pipeline ransomware attack.