Under Attack? Contact Us Start a Free Demo

BlackMatter Ransomware Analysis

Introduction

'BlackMatter' is a ransomware-as-a-service (RaaS) that first appeared in July 2021, when rumors began circulating that it was linked to the DarkSide attack. Those behind BlackMatter have announced that they have incorporated the best features of DarkSide, REvil, and LockBit. BlackMatter ransomware is gaining popularity and targeting high-profile targets in the U.S., Europe, and Asia. The U.S. government has issued a security bulletin concerning the BlackMatter ransomware group following an increase in incidents targeting U.S. companies. For organizations to combat these attacks, they recommend using multifactor authentication (MFA) and updating vulnerable software and systems, such as those that ransomware groups commonly exploit. BlackMatter attackers have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoins and Monero, which indicates that it is hitting hard and achieving big goals.

History

During the July 4th holiday, REvil attacked Kaseya's customers by utilizing the Sodinokibi payload, which among its many indicators of compromise (IOC), contained a "Blacklivesmatter" registry entry. REvil subsequently disappeared from the dark web, possibly to avoid law enforcement attention or in response to some takedown action. The registry entry "Blacklivesmatter" was not only an indicator of compromise (IOC) at the time, but it also may have provided an early indicator of what was to follow. For example, the group known as BlackMatter, which targets a big game in ransomware, appears to be an amalgamation of REvil and Darkside's team members and tactics. These two groups exhibit strong similarities in their codebases, infrastructure configurations, techniques, and operating philosophies.

Darkside and REvil have proven to be two of the most prolific ransomware groups in 2020 and 2021, with landmark attacks on Colonial Pipeline and JBS and the infamous Travelex incident, which caused significant chaos to the organization and its customers for months.

How BlackMatter Operates?

In addition to BlackMatter's widespread fame, the BlackMatter ransomware gang supports the double extortion trend. As part of the attack, hackers not only encrypt sensitive data but also intrude on confidential information. As a result, companies are compelled to pay the ransom to prevent data leakage. Windows and Linux servers and initial access brokers (IABs) are their principal targets. For victim organizations, there’s a range of potential knock-on business risks, including:

  • Remediation, investigation, and clean-up costs
  • Regulatory fines
  • Reputational damage and customer attrition
  • Legal costs, especially if personal data is leaked
  • Productivity impact and operational outages
  • Lost sales

As of July 2021, approximately three weeks after the Kaseya incident, BlackMatter targeted a US-based architecture company in its first foray since its formation in mid-July 2021.

BlackMatter’s Blog:

According to the BlackMatter ransomware blog, BlackMatter publishes the sensitive data of target companies with revenues exceeding $100 million and 500-15,000 hosts within their network. BlackMatter actively advertises the purchase of network access from organizations, offering a price range between $3,000 and $100,000, including a percentage of the ransom amount. A modus operandi similar to Lockbit 2.0 is gaining popularity, thus aligned with other threat actor groups.

Figure 1: BlackMatter advertisement

The BlackMatter’s blog and its platform provide threat actors and affiliates with the ability to customize binary payloads, including custom ransom messages, proof of stolen data, the victim's name, and a unique identifier. BlackMatter breaches organizations through network access purchased by the company. After gaining initial access, the threat actor targets critical assets and exfiltrates sensitive data before deploying ransomware centrally on every infected endpoint via the infected Domain Controllers. After unleashing the ransomware, BlackMatter encrypts the files on the victim's machine in seconds, disabling file recovery and system restore and leaving a ransom note on the victim's machine.

BlackMatter’s Ransom Note

The ransom note by BlackMatter does more than leave a ransom note; it also alters the background image of the machine and translates instructions into the README.txt file. BlackMatter does not seem to perform the same geolocation check, perhaps to avoid association with the region and their past exploits.

Figure 2: BlackMatter ransom note
Figure 3: BlackMatter screen background change

To avoid detection and allow file encryption without the interference of security controls, BlackMatter supports the use of Windows 'safe-mode' with the built-in local administrator account being enabled and set for automatic sign-in along with the run-once Registry key being set to execute the BlackMatter payload.

The victim-specific ransom note informs the victim of data encryption and theft and directs them to install the TOR browser bundle to access the dark web negotiation site.

Figure 4: BlackMatter blog – negotiation page

Payload Configuration

According to the BlackMatter configuration, which appears to be a JSON file, the payload can be tailored to a specific victim, for example:

Figure 5: BlackMatter payload details

For encrypting the Salsa20 encryption key, the RSA public key will be used.

  • Identification number of the victim company
  • The AES key is used at Salsa20 key initialization (used later to encrypt files).
  • Payload version of bot malware.
  • Damage large files such as databases when using Odd Crypt Large Files.
  • The Make Logon command will use the credentials specified in the config file to attempt authentication
  • Try mounting and encrypting volumes.
  • Attempt to encrypt network shares and AD resources.
  • To ensure maximum impact, processes and services exit prior to encryption.
  • Avoid detection by creating mutex's.
  • Exfiltrating the victim's data and preparing it for use.
  • Ransom notes are dropped after file encryption.
  • Using HTTP or HTTPS to communicate between C2 domains.
  • Setting a custom ransom note.

Indicators of Compromise (IOCs)

SHA256 Windows payloads:

1.    02ec55a8f4f97a84370ca72b03912ae8625d344b7bd1af92a2de4b636183f2ab

2.    072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486

3.    0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4

4.    14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c

5.    1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849

6.    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

7.    20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41

8.    22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

9.    2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c

10. 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c

11. 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009

12. 2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd

13. 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2

14. 3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117

15. 3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40

16. 4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91

17. 4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b

18. 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57

19. 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa

20. 668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6

21. 66e6563ecef8f33b1b283a63404a2029550af9a6574b84e0fb3f2c6a8f42e89f

22. 6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db

23. 6e846881115448d5d4b69bf020fcd5872a0efef56e582f6ac8e3e80ea79b7a55

24. 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d

25. 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4

26. 77340f01535db5c80c1f3e725a8f8de17bb227f567b8f568dd339be6ddacf60e

27. 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984

28. 8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac

29. 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94

30. 8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952

31. 8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539

32. 98227953d55c5aee2271851cbea3680925d4d0838ee0d63090da143c8d71ac55

33. 9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58

34. 9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a

35. a5cdca5a8120b5532f6de3395b9b6d411ad9234b857ce17bb3cc5747be6a7dd2

36. b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a

37. b1891a5375198e262dfe6f83a89574e7aa438f41e2853d5d31e101bcec95cbf3

38. b3e82b43750c7d0833f69abd3d31751c9e8face5063573946f61abbdda513eb8

39. b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7

40. b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f

41. c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

42. c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe

43. cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7

44. d4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82

45. d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767

46. daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720

47. e146f17a53300e19ec480d069b341688127d46198ff0fdd0e059914130d56f56

48. e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d

49. e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4

50. eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b

51. eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1

52. ed47e6ecca056bba20f2b299b9df1022caf2f3e7af1f526c1fe3b8bf2d6e7404

53. f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc

54. f7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884

55. fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2

SHA256 Linux payloads:

1.    6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502

2.    d4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82

Domains:

  • nowautomation[.]com
  • fluentzip[.]org
  • mojobiden[.]com
  • paymenthacks[.]com

IP addresses:

  • 99.83.154[.]118

How To Prevent Ransomware Attacks?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
I am an experienced and CEH certified cybersecurity professional with expertise in incident response, forensic investigations, cyber threat intelligence, vulnerability mgmt. and cyber threat research.
Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.