Threat Intelligence Tarot
pentacles · 4
Criminal (Russian-speaking, DarkSide successor)
G0139
risk 4/5
The Rebrand
BlackMatter
DarkSide rebranded · ALPHV precursor
AgricultureFood supply chainManufacturingCritical infrastructure
Active ~2021 · Ransomware operations post-Colonial, Critical infrastructure targeting (selective), RaaS affiliate model
DarkSide died after Colonial Pipeline. BlackMatter was born two months later. It promised not to hit hospitals or pipelines - then hit grain cooperatives during harvest season. The Rebrand learned the wrong lessons: it thought the problem was the target, not the crime. It lasted three months.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1078
Valid Accounts
Initial Access
T1021.002
SMB/Windows Admin Shares
Lateral Movement
T1567
Exfiltration Over Web Service
Exfiltration
T1134
Access Token Manipulation
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • Iowa-based grain cooperative NEW Cooperative ransomware attack (2021)
  • Crystal Valley Cooperative attack during harvest season
  • US food supply chain disruption during critical agricultural period
  • Shut down within 3 months under law enforcement pressure
Defenses
Reversed: Their Weakness
BlackMatter's rapid shutdown demonstrates the fragility of RaaS operations under sustained law enforcement pressure - the Colonial Pipeline aftermath created an environment where even renamed, restructured ransomware groups could not operate without existential risk from multiple international agencies.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Hospital WardNext →The Schoolyard
Related Adversaries
The Hospital Ward
Hive
4 shared TTPs
The Dark Dividend
DarkSide
4 shared TTPs
The Void
BlackCat / ALPHV
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.