TeamHood 
DarkSide ransomware gang has rebranded itself as BlackMatter ransomware operation an encryption algorithms found in a decryptor proves that. It is known that Blackmatter Operation is actively targeting the corporate entities.
After successfully conducting the attack on US Colonial Pipeline DarkSide gang was facing increased scrutiny from international law enforcement and US.
During may the Darkside ransomware has abruptly shutdown its operation after losing access to their servers and cryptocurrency which was seized by an unknown third-party.
In July a new ransomware operation known as BlackMatter emerged which is actively attacking victims and purchasing network access from other attackers to launch attacks.
Security researchers analyzing the Blakmatter decryptor and concluded that the encryption mechanism used by the BlackMatter is similar to the one used by the DarkSide ransomware gang.
Fabian Wosar told Bleeping computer that the encryption routines used by BlackMatter are pretty much the same, including a custom Salsa20 matrix unique to DarkSide.
When encrypting data using the Salsa20 encryption algorithm, a developer provides an initial matrix consisting of sixteen 32-bit words.
When encrypting files instead of using constant strings, a position, nonce, and key, for each encrypted file, DarkSide fills the words with random data.
This matrix is then encrypted with a public RSA key and stored in the footer of the encrypted file.
Fabian says this Salsa20 implementation was previously only used by DarkSide, and now BlackMatter.
DarkSide used an RSA-1024 implementation unique to their encryptor, which BlackMatter also uses.
While there is not 100% proof that BlackMatter is a rebrand of the DarkSide operation, many similar characteristics make it hard to believe this is not the case.
When we take the same encryption algorithms, the similar language used on the BlackMatter sites, similar craving of media attention, and similar color themes for their TOR sites, it is highly like that BlackMatter is the new DarkSide.
A rebrand from DarkSide also explains the reason the new BlackMatter group won’t target the “Oil and Gas industry (pipelines, oil refineries),” which led to their previous downfall.
Unfortunately, this is a highly skilled group that targets multiple device architectures, including Windows, Linux, and ESXi servers.
Due to this, we will need to keep an eye on this new group as they will surely perform attacks on well-known targets in the future.
