DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown

Darkside and BlackMatter ransomware operators have moved a large amount of their Bitcoin reserves after the recent shutdown of REvil’s infrastructure.

The gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million) after the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

“Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,” Moyal told The Record. “At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.”

Below the list of wallets shared by the expert:

15WpW77a5zuMYUENyW3tFAvovgjbURBNdc
1FysrVjFC8y1exHiSXWfHxWwHqwDEmDGcT
12WLsWxC12hDWRAPYdaVCKxu3u5atL9DFc
1EPJax1dzPr79yCuGM3BxHNRhpKesYnM4Y
122rgzWWjHypxz51XydiuRvzATqYvEFoAk
1HjFQLdGP4DFJR1TgXk9WUiGFMoomMmyax
1KMV2LUcTJ8KF2chY32ErMtGUWXvRvWfrC
16hJwHm4c6M2A6CytimipRDVhUeXVD2QrB
bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6 (current major holder wallet)

In May, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.

In July the group rebranded its operation with the name BlackMatter.

Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.