top of page

Emergence of Two New Ransomware Gangs

Haron and BlackMatter - two new ransomware-as-service (RaaS) programs - have emerged this month, with one group claiming to be a successor to DarkSide and REvil, the two infamous ransomware groups that have gone incognito following major attacks on Colonial Pipeline and Kaseya over the past few months.

Writing on their darknet public blog, those responsible for the new BlackMatter group said: "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit”.

However, they did promise to not strike organisations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government sectors. They're all heart, clearly!

It’s been reported that the BlackMatter threat actor registered an account on Russian-language forums XSS and Exploit on July 19, quickly following it up with a post hinting that they are looking to attack companies with revenues of over $100 million a year, with potentially large-scale ransomware operations.

Flashpoint, the globally-trusted leader in risk intelligence, said: "The actor (BlackMatter) deposited 4BTC (approximately $150,000 USD) into their escrow account. Large deposits on the forum indicate the seriousness of the threat actor.

"BlackMatter does not openly state that they are a ransomware collective operator, which technically doesn't break the rules of the forums, though the language of their post, as well as their goals clearly indicate that they are a ransomware collective operator."

On July 27, the group is believed to have begun recruiting partners and affiliates using Exploit forum's Jabber server to spread their recruitment drive, in which they claim to be looking for experienced penetration testers knowledgeable in Windows and Linux systems as well as initial access suppliers.

BlackMatter is not the only newcomer to worry about. Haron is the latest to emerge among the cybercrime network, making its debut appearance this month. It is said to seriously borrow from past ransomware giants such as Thanos and the now defunct Avaddon.


Reporting Cyber Crime

The East Midlands Cyber Resilience Centre provides advice and guidance to protect and prevent businesses from falling victim to cyber crime. However, if you have become a victim of cyber crime, you need to know what to do next, we have all the information you need on how to report it.



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page