BlackMatter Ransomware Analysis
‘BlackMatter’ is a ransomware-as-a-service (RaaS) that first appeared in July 2021, when rumors began circulating that it was linked to the DarkSide attack. Those behind BlackMatter have announced that they have incorporated the best features of DarkSide, REvil, and LockBit. BlackMatter ransomware is gaining popularity and targeting high-profile targets in the U.S., Europe, and Asia. The U.S. government has issued a security bulletin concerning the BlackMatter ransomware group following an increase in incidents targeting U.S. companies. To combat these attacks, organizations recommend using multifactor authentication (MFA) and updating vulnerable software and systems, such as those that ransomware groups commonly exploit. BlackMatter attackers have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoins and Monero, which indicates that it is hitting hard and achieving big goals.
During the July 4th holiday, REvil attacked Kaseya’s customers by utilizing the Sodinokibi payload, which among its many indicators of compromise (IOC), contained a “Blacklivesmatter” registry entry. REvil subsequently disappeared from the dark web, possibly to avoid law enforcement attention or in response to some takedown action. The registry entry “Blacklivesmatter” was not only an indicator of compromise (IOC) at the time, but it also may have provided an early indicator of what was to follow. For example, the group known as BlackMatter, which targets a big game in ransomware, appears to be an amalgamation of REvil and Darkside’s team members and tactics. These two groups exhibit strong similarities in their codebases, infrastructure configurations, techniques, and operating philosophies.
Darkside and REvil have proven to be two of the most prolific ransomware groups in 2020 and 2021, with landmark attacks on Colonial Pipeline and JBS and the infamous Travelex incident, which caused significant chaos to the organization and its customers for months.
How BlackMatter Operates?
In addition to BlackMatter’s widespread fame, the BlackMatter ransomware gang supports the double extortion trend. As part of the attack, hackers not only encrypt sensitive data but also intrude on confidential information. As a result, companies are compelled to pay the ransom to prevent data leakage. Their principal targets are windows and Linux servers and initial access brokers (IABs). For victim organizations, there’s a range of potential knock-on business risks, including:
- Remediation, investigation, and clean-up costs
- Regulatory fines
- Reputational damage and customer attrition
- Legal costs, especially if personal data is leaked
- Productivity impact and operational outages
- Lost sales
As of July 2021, approximately three weeks after the Kaseya incident, BlackMatter targeted a US-based architecture company in its first foray since its formation in mid-July 2021.
According to the BlackMatter ransomware blog, BlackMatter publishes the sensitive data of target companies with revenues exceeding $100 million and 500-15,000 hosts within their network. BlackMatter actively advertises the purchase of network access from organizations, offering a price range between $3,000 and $100,000, including a percentage of the ransom amount. A modus operandi similar to Lockbit 2.0 is gaining popularity, thus aligned with other threat actor groups.
The BlackMatter’s blog and its platform provide threat actors and affiliates with the ability to customize binary payloads, including custom ransom messages, proof of stolen data, the victim’s name, and a unique identifier. BlackMatter breaches organizations through network access purchased by the company. After gaining initial access, the threat actor targets critical assets and exfiltrates sensitive data before deploying ransomware centrally on every infected endpoint via the infected Domain Controllers. After unleashing the ransomware, BlackMatter encrypts the files on the victim’s machine in seconds, disabling file recovery and system restore and leaving a ransom note on the victim’s machine.
BlackMatter’s Ransom Note
The ransom note by BlackMatter does more than leave a ransom note; it also alters the background image of the machine and translates instructions into the README.txt file. BlackMatter does not seem to perform the same geolocation check, perhaps to avoid association with the region and their past exploits.
To avoid detection and allow file encryption without the interference of security controls, BlackMatter supports the use of Windows ‘safe-mode’ with the built-in local administrator account being enabled and set for automatic sign-in along with the run-once Registry key being set to execute the BlackMatter payload.
The victim-specific ransom note informs the victim of data encryption and theft and directs them to install the TOR browser bundle to access the dark web negotiation site.
According to the BlackMatter configuration, which appears to be a JSON file, the payload can be tailored to a specific victim, for example:
For encrypting the Salsa20 encryption key, the RSA public key will be used.
- Identification number of the victim company
- The AES key is used at Salsa20 key initialization (used later to encrypt files).
- Payload version of bot malware.
- Damage large files such as databases when using Odd Crypt Large Files.
- The Make Logon command will use the credentials specified in the config file to attempt authentication.
- Try mounting and encrypting volumes.
- Attempt to encrypt network shares and AD resources.
- To ensure maximum impact, processes and services exit prior to encryption.
- Avoid detection by creating mutex’s.
- Exfiltrating the victim’s data and preparing it for use.
- Ransom notes are dropped after file encryption.
- Using HTTP or HTTPS to communicate between C2 domains.
- Setting a custom ransom note.
Indicators of Compromise (IOCs)
SHA256 Windows payloads:
SHA256 Linux payloads:
How To Prevent Ransomware Attacks?
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).