EclecticIQ Threat Research Team
August 11, 2021

REvil and Darkside Successor Launches Operations as United States Establishes Joint Cyber Defense Collaborative

Blog

biweekly-32-banner

Key Highlights

  • BlackMatter, a new ransomware group claiming to be the successor to REvil and Darkside, announced the start of operations, advertised for collaborators, and indicated it will not attack hospitals or critical infrastructure.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) stood up the Joint Cyber Defense Collaborative, which aims to bring together government and private enterprise in the name of cybersecurity.
  • Luxembourg’s data privacy regulator has fined Amazon $887 million (€746 million) under the European Union’s GDPR regulation for its failure to comply with requirements for protecting customer data.

BlackMatter Aims to Succeed REvil and Darkside, Focusing on Ransomware Targets with Revenues of $100 Million or More

BlackMatter, a new ransomware group claiming to be the successor to REvil and Darkside, publicly launched operations during the last week of July. The group posted advertisements on two cybercrime forums seeking initial access to high revenue companies in the United States, the United Kingdom, Canada, and Australia in any industries except healthcare and government. BlackMatter also claimed it would avoid striking critical infrastructure (nuclear and non-nuclear power plants and water treatment facilities), oil and gas facilities, nonprofits, hospitals, and others, saying that victims in those industries can ask for the decryption key. BlackMatter’s webpage also promoted the group’s “transparency” and “honesty” with victims, and its customer service for affiliates and clients. (1) In a separate web article dated August 2, a member of BlackMatter stated the group is driven by financial rewards and carefully weighs the costs and requirements to conduct an attack against the potential gains. (2)

U.S. President Biden Highlights Threat of Cyberattacks as CISA Launches JCDC

In a briefing to U.S. intelligence officials, President Biden stated that cyberattacks “increasingly are able to cause damage and disruption in the real world.” He added that “…if we end up in a war, a real shooting war with a major power, it’s going to be as a consequence of a cyber breach.” He signed a national security memo aimed at improving cybersecurity for critical infrastructure through a voluntary government-industry cooperative organization. On August 5, the Cybersecurity and Infrastructure Security Agency (CISA) announced a government-industry initiative to share information and best practices in cybersecurity called the Joint Cyber Defense Collaborative (JCDC). EclecticIQ judges that increased U.S. government attention to cybersecurity initiatives is a direct result of the high-profile ransomware attacks against Colonial Pipeline and JBS earlier this year. The U.S. government likely feels pressure to demonstrate action against cyberthreats. EclecticIQ sees voluntary government-industry cooperation against cybercrime as necessary, but implementing meaningful cybersecurity recommendations will almost certainly be a costly, long-term process. (3, 4, 5)

Luxembourg Hits Amazon with Highest Fine to Date under GDPR

Authorities in Luxembourg levied a fine of €746 million ($887 million USD) against Amazon for its failure to comply with the EU’s General Data Protection Regulation (GDPR). Luxembourg has not revealed any information about its decision; however, Amazon released a statement indicating it disagreed with the fine and the reasons for it, and plans to appeal. This fine is by far the largest levied under the GDPR, far exceeding the previous record holder, which was a 2019 French fine against Google for €50 million. (6)

Russia Submits Proposed Convention on Cybercrime to U.N.

Russia recently submitted a proposal to the United Nations to create the world’s first convention for strengthening laws against cybercrime. In the proposal, submitted on July 27, Russia suggested expanding the number of internationally designated cybercrimes from nine to 23. The existing convention on cybercrime, signed in 2001 by just four nations, mentions only crimes known at the time. Russia’s proposal adds crimes involving cryptocurrency, minors, and marketing of fake medical products. In 2011, Russia put forth a similar draft, entitled “Convention on International Information Security.” (7) EclecticIQ assesses this new proposal as an attempt by Russian authorities to appear as though they are taking proactive action against cybercrime, while avoiding dealing with the abundance of criminal actors inside their own border. By submitting a proposed document to the U.N., Russia achieves positive publicity, while failing to take any action to rein in cybercriminals operating within its national territory. (8)

Italian Regional Government and Vaccine Website Suffer Ransomware Attack

On August 1, the media reported on a ransomware attack that disabled the website for Italy’s Lazio Region government, as well as its COVID-19 vaccination website. The attack prevented citizens from making vaccination appointments; however, the authorities stated the vaccination program would continue as normal. The report did not indicate who was responsible for the attack, nor indicate whether the Lazio Regional government was in contact with the attackers. (9)

U.S. Department of Justice Reveals Additional Detail on Breach Resulting from SolarWinds Attack

On July 30, the U.S. Department of Justice released a statement providing additional detail about an intrusion targeting the networks of U.S. attorneys. In this case, the advanced persistent threat (APT) group behind the SolarWinds compromise gained unauthorized access to the Microsoft Office 365 Outlook accounts in the offices of more than two dozen U.S. attorneys between May and December 2020. The attackers accessed sent, received, and stored emails and attachments from individual accounts. EclecticIQ analysis of the SolarWinds campaign indicates the threat actors were thorough in their use of obfuscation TTPs, making detection very difficult. EclecticIQ assesses that the list of targeted victims in the SolarWinds campaign will almost certainly continue to expand. (10)

Appendix

  1. https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/
  2. https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
  3. https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/07/27/remarks-by-president-biden-at-the-office-of-the-director-of-national-intelligence/
  4. https://www.cnbc.com/2021/07/28/biden-to-sign-memorandum-to-improve-cybersecurity-for-us-infrastructure.html
  5. https://www.cisa.gov/jcdc
  6. https://therecord.media/amazon-fined-887-million-over-eu-privacy-violations/
  7. https://www.mid.ru/en/foreign_policy/official_documents/-/asset_publisher/CptICkB6BZ29/content/id/191666
  8. https://www.firstpost.com/tech/news-analysis/explained-russias-proposal-to-the-un-for-expanding-list-of-designated-cybercrimes-9843901.html
  9. https://www.euronews.com/2021/08/02/italian-website-for-vaccination-appointments-targeted-by-hackers
  10. https://www.justice.gov/opcl/department-justice-statement-solarwinds-update

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo