Marketron hit by Blackmatter ransomware gang: RadioTraffic back online

Despite investments in cybersecurity, ransomware affected marketing services and impacted the majority of products

FBI and the Marketron cybersecurity specialists work together to put the services back online after the ransomware attack

A group of cybercriminals hit Marketron over the weekend by spreading their ransomware dubbed Blackmatter. The business software solutions provider serves more than 6,000 customers in the media industry. Marketron is a known name in the broadcast and media industry. The company offers to strengthen market leadership by providing cloud-based revenue and traffic management tools for broadcast and media organizations.^[1]

Customers of Marketron find out about the incident via email on Sunday from company CEO Jim Howard. He stated that the Russian criminal organization was responsible for the attack. The head of the company apologized to customers. It was highlighted that the company has no clue how the hackers breached the network since the company recently made significant investments in cybersecurity implementations designed to protect from intruders.^[2]

The recent report from the CEO stated that RadioTraffic's cloud-based traffic and billing system is safe to use. It was also added that the company was communicating with the hackers and received help from the Federal Bureau of Investigation (FBI). Combined efforts should produce a positive outcome. Even still, working services were shut down for precautions measures. Pitch, Email Marketing, and Mobile Messaging platforms remained online.

BlackMatter hit other high-level company

Marketron isn't the only company hit by BlackMatter over the past weekend. BlackMatter also breached the New Cooperative U.S farmers organization. Then, ended up demanding a $5.9 million ransom. The company itself remained silent about the attack but confirmed the cybersecurity incident that impacted some of its devices and systems. They took systems offline to contain the problem.^[3]

However, cyber experts shared that criminals gathered huge amounts of sensitive information, like financial documents, network information for multiple companies involved with New Cooperative, social security numbers, and employees' personal information. The ransomware gang claims to have 1TB of data. They also are waiting until noon of September 25th to get their ransom.

About a week ago, technology giant Olympus was also hit by BlackMatter. The company shared that they detected suspicious activity and immediately mobilized a specialized response team with experts. All data transfers in the affected systems were suspended, and relevant external partners were informed. However, there were speculations about a ransom note left behind on infected computers that claimed to be from the BlackMatter.^[4]

Apparently, the note demanded payment and stated that companies network is encrypted and not operational. If the company paid the ransom, cybercriminals would provide the programs for decryption. The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter actors to communicate with its victims.

Criminals seem to have rebranded the known threat

The BlackMatter ransomware is believed to be a new, rebrand version of DarkSide ransomware as experts point out that their adversary behaviors, tactics, techniques, and procedures seem to be very similar to DarkSide. The criminals are very active, and in more than a month, they have hit several organizations and companies. BlackMatter as a service was founded in July 2021.

Threat actors themselves stated in their blog that this new project had incorporated the best features of DarkSide, REvil, and LockBit. The threat actor group does not conduct attacks against organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government.^[5] However, the recent attack on New Cooperative seems to negate that statement.