DarkSide ransomware operators move 6.8M worth of Bitcoin after REvil shutdown

Darkside and BlackMatter ransomware operators have moved a large amount of their Bitcoin reserves after the recent shutdown of REvil’s infrastructure.

The gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million) after the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies.

“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.

Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.

“Basically, since 2AM UTC whoever controlled the wallet started to break the BTC into small chunks,” Moyal told The Record. “At the time of this writing, the attackers split the funds into 7 wallets of 7-8 BTC and the rest (38BTC) is stored in the following wallet: bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6.”

Below the list of wallets shared by the expert:

• 15WpW77a5zuMYUENyW3tFAvovgjbURBNdc
• 1FysrVjFC8y1exHiSXWfHxWwHqwDEmDGcT
• 12WLsWxC12hDWRAPYdaVCKxu3u5atL9DFc
• 1EPJax1dzPr79yCuGM3BxHNRhpKesYnM4Y
• 122rgzWWjHypxz51XydiuRvzATqYvEFoAk
• 1HjFQLdGP4DFJR1TgXk9WUiGFMoomMmyax
• 1KMV2LUcTJ8KF2chY32ErMtGUWXvRvWfrC
• 16hJwHm4c6M2A6CytimipRDVhUeXVD2QrB
• bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6 (current major holder wallet)

In May, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.

The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.

In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.

In July the group rebranded its operation with the name BlackMatter.

Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, REvil ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]