|Target OS||Windows/ Linux|
- BlackMatter is a new strain of ransomware that was first identified in July 2021. The newly emerged ransomware is an affiliate of Darkside and targets different regions worldwide, particularly US, UK, Australia, and Canada.
- This ransomware targets Windows and Linux-based systems such as NAS (Network-attached Storage) and ESXi servers.
- BlackMatter ransomware operators claim that it combines the best aspects of REvil, Darkside, and Lockbit ransomware. They target a variety of industries with revenue higher than USD 1 million, with the exception of organizations in the healthcare, government, oil and gas, and non-profit sectors.
AnalysisOn 21 July 2021, BlackMatter ransomware operators published a post on a Russian cybercrime forum asking to buy access in bulk for various locations, including the United States, the United Kingdom, and Australia. The following industries were explicitly excluded from their target list:
- Critical Infrastructure
- Oil and Gas
- Government Institutions
Information from Technical AnalysisBased on open-source research, CloudSEK researchers determined that the ransomware has two variants that target both Windows and Linux systems, with some minor changes in their encryption functionality. The Windows variant of the BlackMatter ransomware performs the following functions:
- The ransomware checks the current user level and based on that performs privilege escalation to bypass UAC (User-Account Control) via ICMLuaUtil COM Interface.
- The ransomware uses a multithreading mechanism while enumerating the filesystem and during the encryption process by using an I/O completion port.
- The ransomware enumerates the network resources as well as the AD (Active Directory) using LDAP (Lightweight Directory Access Protocol) requests.
- The ransomware excludes specific directories, file names, and file extensions during the encryption process. It also deletes shadow copies of the targeted directories before starting the encryption process.
- The ransomware kills specific processes and deletes or stops specific services on the victim system.
- The encryption algorithm used is Salsa20 and the public key used to protect the encryption key of Salsa20 is RSA-1024.
- After encryption, the ransomware changes the file name to . and drops a ransom note in each folder with the name .README.txt.
- The ransomware collects information about the victim device and sends it back to the C2 server in an encrypted format with AES-128 ECB encryption algorithm via HTTP POST requests.
Impact & Mitigation
TTPs & IOCs
|Tactics, Techniques, and Procedures|
Indicators of Compromise
|List of excluded directory names||windows, system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, program files (x86), program files, $windows.~bt, public, msocache, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old|
|List of excluded file names||desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log|
|List of targeted file extensions||themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu|