top of page
  • Admin

Are Ransomware Groups Rebranding Themselves After Shutting Down?

Published: October 22, 2021 on our newsletter Security Fraud News & Alerts Newsletter.

Security experts warned the public that recently defunct ransomware-as-a-service (RaaS) groups could come back to haunt us. Two of those groups, DarkSide and Avaddon, responsible for headline-grabbing ransomware attacks, now have successors with eerily similar styles. Security experts wonder if two new RaaS groups, BlackMatter and Heron, are simply rebranded copies of the originals. The short answer to the question is yes, it is possible. And yes, we were warned this could happen.

DarkSide and Avaddon groups shutting themselves down is a great way for both to lose attention from law enforcement and security firms. Doing so allows them to ride off into the sunset and escape responsibility for their many cybercrimes. Or are they simply reinventing themselves?

BlackMatter group is a self-proclaimed successor to both DarkSide and REvil groups, a remake potentially worthy of the ransomware crown.

While Heron group, researchers noted, had several similarities to Avaddon. Avaddon shut down operations and disappeared in June of this year as a precautionary move. The group looked to avoid the enormous heat from authorities brought on DarkSide after their epic ransomware attack on Colonial Pipeline earlier this year.

BlackMatter, on the other hand, follows in the steps of DarkSide by setting up a leak site to publish data stolen from ransomware attacks before they encrypt it for the ransom demand. Researchers at Recorded Future point to other similarities. The group is advertising on cybercrime forums to setup a criminal network. Also, they’re actively recruiting those with access to large organizations with revenues of $100 million a year or more. In particular, the corporations they’re after are in the U.S., UK, Canada, and Australia. Their goal is for these cohorts to infect the systems they have access to with ransomware.

Oddly enough, BlackMatter also announced organizations they will not target. Those in healthcare, the defense industry, critical infrastructure, and non-profit groups are safe, assuming we can trust the word of cybercriminals.

In the Meantime…

Businesses need to take basic security steps to help keep ransomware away from their data systems regardless of what group is behind an attack. Being aware of the latest news about new malware is important, as well as having anti-virus solutions installed on all devices. Anti-virus and all other software should be updated as soon as possible, whenever an update is ready. Creating backups of system data can keep ransom demands where they belong – unpaid. Backups need to be done on a regular basis and kept separate from the production system. Also, perform regular restoration of data backups to make sure they work properly if needed.

While time may tell if Heron and BlackMatter are reboots of recently deceased ransomware groups, protecting company data regardless of who may be after it, should be a top priority. After all, we can’t say we weren’t warned.

Want to schedule a conversation? Please email us at

5 views0 comments


bottom of page