BlackMatter Ransomware Specifications Shared on Cybercrime Forum

BlackMatter ransomware operators claim that it combines the best aspects of REvil, Darkside, and Lockbit ransomware. They target a variety of industries with revenue higher than USD 1 million, with the exception of organizations in the healthcare, government, oil and gas, and non-profit sectors.
Updated on
April 19, 2023
Published on
August 18, 2021
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.
Category Malware Intelligence
Malware Name BlackMatter
Malware Family  Ransomware
Affected Industries Multiple
Affected Region Global
Target OS Windows/ Linux
   

Executive Summary

  • BlackMatter is a new strain of ransomware that was first identified in July 2021. The newly emerged ransomware is an affiliate of Darkside and targets different regions worldwide, particularly US, UK, Australia, and Canada.
  • This ransomware targets Windows and Linux-based systems such as NAS (Network-attached Storage) and ESXi servers.
  • BlackMatter ransomware operators claim that it combines the best aspects of REvil, Darkside, and Lockbit ransomware. They target a variety of industries with revenue higher than USD 1 million, with the exception of organizations in the healthcare, government, oil and gas, and non-profit sectors.
   

Analysis

On 21 July 2021, BlackMatter ransomware operators published a post on a Russian cybercrime forum asking to buy access in bulk for various locations, including the United States, the United Kingdom, and Australia. The following industries were explicitly excluded from their target list:
  • Healthcare
  • Critical Infrastructure
  • Oil and Gas
  • Defence
  • Non-profit
  • Government Institutions
BlackMatter operators specifically target companies with a revenue of USD 1 million and above, along with company networks having 500-15000 hosts.   The BlackMatter account on the Russian forum has an escrow balance of 4 BTC, which amounts to ~ USD 180K. Apart from evoking confidence in other forum members, the large balance attracts reputed threat actors and experienced Initial Access Brokers (IABs)to work with them. It also shows that the group is serious about carrying out large-scale attacks that require advanced tools and resources. [caption id="attachment_17702" align="aligncenter" width="966"]BlackMatter advertisement on a cybercrime forum BlackMatter advertisement on a cybercrime forum[/caption]

Information from Technical Analysis

Based on open-source research, CloudSEK researchers determined that the ransomware has two variants that target both Windows and Linux systems, with some minor changes in their encryption functionality. The Windows variant of the BlackMatter ransomware performs the following functions:
  • The ransomware checks the current user level and based on that performs privilege escalation to bypass UAC (User-Account Control) via ICMLuaUtil COM Interface.
  • The ransomware uses a multithreading mechanism while enumerating the filesystem and during the encryption process by using an I/O completion port.
  • The ransomware enumerates the network resources as well as the AD (Active Directory) using LDAP (Lightweight Directory Access Protocol) requests.
  • The ransomware excludes specific directories, file names, and file extensions during the encryption process. It also deletes shadow copies of the targeted directories before starting the encryption process.
  • The ransomware kills specific processes and deletes or stops specific services on the victim system.
  • The encryption algorithm used is Salsa20 and the public key used to protect the encryption key of Salsa20 is RSA-1024.
  • After encryption, the ransomware changes the file name to . and drops a ransom note in each folder with the name .README.txt.
  • The ransomware collects information about the victim device and sends it back to the C2 server in an encrypted format with AES-128 ECB encryption algorithm via HTTP POST requests.
  [caption id="attachment_17703" align="aligncenter" width="950"]Information shared by the BlackMatter Ransomware Operators Information shared by the BlackMatter Ransomware Operators[/caption]

Impact & Mitigation

Impact Mitigation
  • The ransomware deletes shadow copies of the targeted directories, preventing data recovery.
  • The ransomware deploys anti-VM and anti-debugging techniques to prevent the reverse engineering of the ransomware.
  • The ransomware encrypts its victim’s files, thus making them inaccessible.
  • The ransomware is also capable of exfiltrating data to the attacker server, which can be used to blackmail the victim.
  • Update applications and systems with the latest patches and updates.
  • Use EDR solutions for network monitoring.
  • Use up-to-date anomaly and anti-virus products with the latest version.
  • Conduct security awareness and training programs for employees, on a regular basis.
  • Avoid clicking on malicious or suspicious links.
  • Avoid downloading malicious documents from untrusted or suspicious sources.
 

TTPs & IOCs

Tactics, Techniques, and Procedures
  • Privilege Escalation:
    • Abuse Elevation Control Mechanism: T1548.002: Bypass User Account Control
  • Defense Evasion:
    • Abuse Elevation Control Mechanism: T1548.002: Bypass User Account Control
    • T1027: Obfuscated Files or Information
  • Discovery:
    • T1482: Domain Trust Discovery
    • T1083: File and Directory Discovery
    • T1135: Network Share Discovery
    • T1057: Process Discovery
    • T1033: System Owner/User Discovery
    • T1007: System Service Discovery
  • Command and Control:
    • T1001: Data Obfuscation
  • Exfiltration:
    • T1041: Exfiltration Over C2 Channel
  • Impact:
    • T1486: Data Encrypted for Impact
    • T1490: Inhibit System Recovery
    • T1489: Service Stop
 

Indicators of Compromise

  • Domain
    • Paymenthacks.com
    • Mojobiden.com
    • Blackmattersusa.com
    • Blackmatterinc.com
    • Blackmatter.online
    • Blackmatterlives.biz
    • Blackmattersblog.com
    • Blackmatter.club
    • Allblackmatterspodcast.com
    • Liveblackmatters.com
    • Blackmattershop.com
    • Allblackmatterspodcast.info
    • Shoppingwhileblackmatters.com
    • Blackmatter.space
    • Blackmatters.world
    • Blackmatterstudios.com
    • Blackmatter.xyz
    • Blackmatter.tech
    • blackmatterremedies.com
    • uberblackmatters.com
    • hireblackmatters.com
    • blackmattermarketing.com
    • blackmatterlives.net
    • blackmattermedia.com
    • myblackmattersny.com
    • seeingblackmatters.com
    • shopblackmatter.com
    • blackmatterpodcast.com
    • blackmattersapparel.com
    • blackmattersapparel.net
    • blackmattersapparel.info
    • yourblackmatters.com
    • blackmatterfirearms.com
    • collectiveactionforblackmatters.com
    • ourblackmatters.com
    • allblackmatter.com
    • studioblackmatter.com
    • blackmatter.life
    • everythingblackmatters.com
    • blackmatter14.com
    • blackmatter15.com
    • whitevoicesblackmatters.com
    • blackmattersdirectory.com
    • myblackmatter.com
  • FileHash
    • 598c53bfef81e489375f09792e487f1a
    • 605d939941c5df2df5dbfb8ad84cfed4
    • 3f9a28e8c057e7ea7ccf15a4db81f362
    • a3cb3b02a683275f7e0a0f8a9a5c9e07
  • IP
    • 51.79.243.236
    • 131.107.255.255
 
List of excluded directory names windows, system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, program files (x86), program files, $windows.~bt, public, msocache, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old
List of excluded file names desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log
List of targeted file extensions themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu
 

Reference

[1] BlackMatter ransomware gang rises from the ashes of DarkSide, REvil (bleepingcomputer.com)

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations