BlackMatter Ransomware Specifications Shared on Cybercrime Forum

Originally published at: https://cloudsek.com/threatintelligence/blackmatter-ransomware-specifications-shared-on-cybercrime-forum/

Category Malware Intelligence
Malware Name BlackMatter
Malware Family Ransomware
Affected Industries Multiple
Affected Region Global
Target OS Windows/ Linux

 

 

Executive Summary

  • BlackMatter is a new strain of ransomware that was first identified in July 2021. The newly emerged ransomware is an affiliate of Darkside and targets different regions worldwide, particularly US, UK, Australia, and Canada.
  • This ransomware targets Windows and Linux-based systems such as NAS (Network-attached Storage) and ESXi servers.
  • BlackMatter ransomware operators claim that it combines the best aspects of REvil, Darkside, and Lockbit ransomware. They target a variety of industries with revenue higher than USD 1 million, with the exception of organizations in the healthcare, government, oil and gas, and non-profit sectors.

 

 

Analysis

On 21 July 2021, BlackMatter ransomware operators published a post on a Russian cybercrime forum asking to buy access in bulk for various locations, including the United States, the United Kingdom, and Australia. The following industries were explicitly excluded from their target list:

  • Healthcare
  • Critical Infrastructure
  • Oil and Gas
  • Defence
  • Non-profit
  • Government Institutions

BlackMatter operators specifically target companies with a revenue of USD 1 million and above, along with company networks having 500-15000 hosts.

 

The BlackMatter account on the Russian forum has an escrow balance of 4 BTC, which amounts to ~ USD 180K. Apart from evoking confidence in other forum members, the large balance attracts reputed threat actors and experienced Initial Access Brokers (IABs)to work with them. It also shows that the group is serious about carrying out large-scale attacks that require advanced tools and resources.

![BlackMatter advertisement on a cybercrime forum|966x783](upload://vqjWIxhcpQBnVf7qr2FM0TQ72bM.png)BlackMatter advertisement on a cybercrime forum

Information from Technical Analysis

Based on open-source research, CloudSEK researchers determined that the ransomware has two variants that target both Windows and Linux systems, with some minor changes in their encryption functionality.

The Windows variant of the BlackMatter ransomware performs the following functions:

  • The ransomware checks the current user level and based on that performs privilege escalation to bypass UAC (User-Account Control) via ICMLuaUtil COM Interface.
  • The ransomware uses a multithreading mechanism while enumerating the filesystem and during the encryption process by using an I/O completion port.
  • The ransomware enumerates the network resources as well as the AD (Active Directory) using LDAP (Lightweight Directory Access Protocol) requests.
  • The ransomware excludes specific directories, file names, and file extensions during the encryption process. It also deletes shadow copies of the targeted directories before starting the encryption process.
  • The ransomware kills specific processes and deletes or stops specific services on the victim system.
  • The encryption algorithm used is Salsa20 and the public key used to protect the encryption key of Salsa20 is RSA-1024.
  • After encryption, the ransomware changes the file name to . and drops a ransom note in each folder with the name .README.txt.
  • The ransomware collects information about the victim device and sends it back to the C2 server in an encrypted format with AES-128 ECB encryption algorithm via HTTP POST requests.

 

![Information shared by the BlackMatter Ransomware Operators|950x658](upload://x9Nf2wncH3fGnDcVt0M5bptVE5E.png)Information shared by the BlackMatter Ransomware Operators

Impact & Mitigation

Impact Mitigation
  • The ransomware deletes shadow copies of the targeted directories, preventing data recovery.
  • The ransomware deploys anti-VM and anti-debugging techniques to prevent the reverse engineering of the ransomware.
  • The ransomware encrypts its victim’s files, thus making them inaccessible.
  • The ransomware is also capable of exfiltrating data to the attacker server, which can be used to blackmail the victim.
  • Update applications and systems with the latest patches and updates.
  • Use EDR solutions for network monitoring.
  • Use up-to-date anomaly and anti-virus products with the latest version.
  • Conduct security awareness and training programs for employees, on a regular basis.
  • Avoid clicking on malicious or suspicious links.
  • Avoid downloading malicious documents from untrusted or suspicious sources.

 

TTPs & IOCs

Tactics, Techniques, and Procedures
  • Privilege Escalation:
    • Abuse Elevation Control Mechanism: T1548.002: Bypass User Account Control
  • Defense Evasion:
    • Abuse Elevation Control Mechanism: T1548.002: Bypass User Account Control
    • T1027: Obfuscated Files or Information
  • Discovery:
    • T1482: Domain Trust Discovery
    • T1083: File and Directory Discovery
    • T1135: Network Share Discovery
    • T1057: Process Discovery
    • T1033: System Owner/User Discovery
    • T1007: System Service Discovery
  • Command and Control:
    • T1001: Data Obfuscation
  • Exfiltration:
    • T1041: Exfiltration Over C2 Channel
  • Impact:
    • T1486: Data Encrypted for Impact
    • T1490: Inhibit System Recovery
    • T1489: Service Stop

 

Indicators of Compromise

  • Domain
    • Paymenthacks.com
    • Mojobiden.com
    • Blackmattersusa.com
    • Blackmatterinc.com
    • Blackmatter.online
    • Blackmatterlives.biz
    • Blackmattersblog.com
    • Blackmatter.club
    • Allblackmatterspodcast.com
    • Liveblackmatters.com
    • Blackmattershop.com
    • Allblackmatterspodcast.info
    • Shoppingwhileblackmatters.com
    • Blackmatter.space
    • Blackmatters.world
    • Blackmatterstudios.com
    • Blackmatter.xyz
    • Blackmatter.tech
    • blackmatterremedies.com
    • uberblackmatters.com
    • hireblackmatters.com
    • blackmattermarketing.com
    • blackmatterlives.net
    • blackmattermedia.com
    • myblackmattersny.com
    • seeingblackmatters.com
    • shopblackmatter.com
    • blackmatterpodcast.com
    • blackmattersapparel.com
    • blackmattersapparel.net
    • blackmattersapparel.info
    • yourblackmatters.com
    • blackmatterfirearms.com
    • collectiveactionforblackmatters.com
    • ourblackmatters.com
    • allblackmatter.com
    • studioblackmatter.com
    • blackmatter.life
    • everythingblackmatters.com
    • blackmatter14.com
    • blackmatter15.com
    • whitevoicesblackmatters.com
    • blackmattersdirectory.com
    • myblackmatter.com
  • FileHash
    • 598c53bfef81e489375f09792e487f1a
    • 605d939941c5df2df5dbfb8ad84cfed4
    • 3f9a28e8c057e7ea7ccf15a4db81f362
    • a3cb3b02a683275f7e0a0f8a9a5c9e07
  • IP
    • 51.79.243.236
    • 131.107.255.255

 

List of excluded directory names windows, system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, program files (x86), program files, $windows.~bt, public, msocache, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old
List of excluded file names desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log
List of targeted file extensions themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu

 

Reference

BlackMatter ransomware gang rises from the ashes of DarkSide, REvil (bleepingcomputer.com)

1 Like