Two new ransomware-as-services (RaaS) programs have appeared on the threat radar this month. These two groups are known as BlackMatter and Haron, and although they are not verified, their emergence is not surprising to anyone who was paying attention.

It’s a bit difficult to see the purpose of BlackMatter and Haron, as they have yet to release any data nor do they seem to be interested in doing so. That said, who are these groups and what is their purpose?

BlackMatter is supposed to be the successor to DarkSide and REvil, two groups that were responsible for the most devastating ransomware attacks in recent history. The two groups launched a joint effort and successfully hacked into the Colonial Pipeline system, which delivers 90 percent of gas for residents of Atlanta.

After that attack, the group went underground for a year but made a comeback by hacking into Kaseya, a managed services provider known for its work in IT support and security. The group was able to get access to Kaseya’s internal network and also locked down an unspecified number of server machines.

The alleged BlackMatter group proved its mettle this month by hacking into the Los Angeles police department’s website and holding its data for ransom. That attack was apparently unsuccessful, as the hackers chose to delete most of the data rather than pay up. In a blog post linked on Twitter, the group claimed that they plan to target more law enforcement agencies in the future.

“We’re not in a position to say if we will release the [Los Angeles Police Department] data in the public, but it’s still possible,” the hacker said. “The reason why we did not release [LAPD’s data] is that our purpose is not to threaten you, but to protect ourselves.”

The supposed Haron group tweeted at the time that they had destroyed nine sites so far and we’re getting ready to target “at least 16 more countries. ”

“[The Haron group was] just waiting for law enforcement websites to be down. And then they popped in and started crashing servers and wiping data. But I got a screenshot of them deleting the files of their own hacking tool so we can’t be sure if they even did it. They were going to do more and we were just waiting. But they got scared. Well, who wouldn’t be in their position? If I was caught by the police I would be scared too.” — Hector Monsegur (@hxmonsegur)

A source close to law enforcement said that they believe BlackMatter and Haron are one and the same group. The source also said that this is not the first time that the gang has tried to attack a law enforcement agency.

“We’re still seeing this group hack into law enforcement websites as we speak. Their MO is to (1) hack into a website and (2) hold the site hostage, demanding that the government pay them to stop. This is their modus operandi, and they’re very good at it,” the source added.

The Haron group’s spokesperson released a statement claiming responsibility for the action against Los Angeles police but offered little more information. The same was true when BlackMatter made its claim on Twitter.

“[BlackMatter] destroyed nine websites so far: four [law enforcement agencies], three [innocent third parties], one corporate and one social media site,” the supposed hacker wrote. “And more will follow. We are not [in a position to say] if we will release the data in the public, but it’s still possible. The reason why [we] did not release [the LAPD’s data] is that our purpose is not to threaten you, but to protect ourselves.”

The group also said they gained access to Internal Affairs Unit files and information on at least 30 officers, including those working undercover and patrolling the streets. However, the group didn’t follow through with that threat either.

Neither of these two groups has been verified in the media as being affiliated with each other. In fact, the one hacker claiming to be Haron said that he was never a part of BlackMatter, but added that BlackMatter’s “language, tactics and ideas are similar to ours. We are trying to destroy these groups.”

Through a series of messages posted on Twitter, he also claimed that he had first hacked into the Los Angeles police department’s website back around July 28. The hacker claimed that he was able to get access to police pages through a security flaw on their website.

The hacker also said that he was able to get access to the administrator’s email address. Although he did not have this access for long, this seems to be standard practice for any hacker who targets such a system. The hacker claimed that he had been able to get into the email address and used it to download data from the L.A.’s Internal Affairs Unit, including files on at least 30 officers, something that could be used by anyone who wanted to do a reference check on an officer should they need to.

Interested in reading more about malware attacks in recent news? Darkside Ransomware Extorts Millions discusses another malware that gained millions of data used for ransom.

Interested in reading about potential ways to strengthen security against malware? Strengthen Your Ransomware Defenses discusses ways to strengthen your cybersecurity to prevent and protect against ransomware attacks.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, BlackMatter

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.