Ransomware, and malware as a whole, does not exist in a vacuum; it is often developed to accomplish a goal, whether to further an espionage campaign or for monetary gain. Ransomware, in particular, is a fast-moving landscape driven by an intricate web of operators, tools and mystery. BlackMatter ransomware emerged in July 2021 as the successor to DarkSide ransomware, only to be shut down a few short months later...or was it? Besides amassing a large portfolio of victims, the BlackMatter operators released several versions of the ransomware. Recorded Future was the first to openly publish technical details on BlackMatter, as well as interview the ransomware operators themselves. In this session, we will take you through our discovery of the BlackMatter ransomware group and its evolution through the shutdown as well as provide a technical deep dive on the Windows, PowerShell and Linux ransomware itself. We will also address how this evolution trend shows up in the larger ransomware operator landscape, especially among sophisticated actors.
This talk will be a combined technical discussion of the malware and its evolution as well as the dark web aspects of the RaaS and how it has evolved to new groups.