|Target OS||Windows/ Linux|
- BlackMatter is a new strain of ransomware that was first identified in July 2021. The newly emerged ransomware is an affiliate of Darkside and targets different regions worldwide, particularly US, UK, Australia, and Canada.
- This ransomware targets Windows and Linux-based systems such as NAS (Network-attached Storage) and ESXi servers.
- BlackMatter ransomware operators claim that it combines the best aspects of REvil, Darkside, and Lockbit ransomware. They target a variety of industries with revenue higher than USD 1 million, with the exception of organizations in the healthcare, government, oil and gas, and non-profit sectors.
On 21 July 2021, BlackMatter ransomware operators published a post on a Russian cybercrime forum asking to buy access in bulk for various locations, including the United States, the United Kingdom, and Australia. The following industries were explicitly excluded from their target list:
- Critical Infrastructure
- Oil and Gas
- Government Institutions
BlackMatter operators specifically target companies with a revenue of USD 1 million and above, along with company networks having 500-15000 hosts.
The BlackMatter account on the Russian forum has an escrow balance of 4 BTC, which amounts to ~ USD 180K. Apart from evoking confidence in other forum members, the large balance attracts reputed threat actors and experienced Initial Access Brokers (IABs)to work with them. It also shows that the group is serious about carrying out large-scale attacks that require advanced tools and resources.![BlackMatter advertisement on a cybercrime forum|966x783](upload://vqjWIxhcpQBnVf7qr2FM0TQ72bM.png)BlackMatter advertisement on a cybercrime forum
Information from Technical Analysis
Based on open-source research, CloudSEK researchers determined that the ransomware has two variants that target both Windows and Linux systems, with some minor changes in their encryption functionality.
The Windows variant of the BlackMatter ransomware performs the following functions:
- The ransomware checks the current user level and based on that performs privilege escalation to bypass UAC (User-Account Control) via ICMLuaUtil COM Interface.
- The ransomware uses a multithreading mechanism while enumerating the filesystem and during the encryption process by using an I/O completion port.
- The ransomware enumerates the network resources as well as the AD (Active Directory) using LDAP (Lightweight Directory Access Protocol) requests.
- The ransomware excludes specific directories, file names, and file extensions during the encryption process. It also deletes shadow copies of the targeted directories before starting the encryption process.
- The ransomware kills specific processes and deletes or stops specific services on the victim system.
- The encryption algorithm used is Salsa20 and the public key used to protect the encryption key of Salsa20 is RSA-1024.
- After encryption, the ransomware changes the file name to . and drops a ransom note in each folder with the name .README.txt.
- The ransomware collects information about the victim device and sends it back to the C2 server in an encrypted format with AES-128 ECB encryption algorithm via HTTP POST requests.
![Information shared by the BlackMatter Ransomware Operators|950x658](upload://x9Nf2wncH3fGnDcVt0M5bptVE5E.png)Information shared by the BlackMatter Ransomware Operators
Impact & Mitigation
TTPs & IOCs
|Tactics, Techniques, and Procedures|
Indicators of Compromise
|List of excluded directory names||windows, system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, program files (x86), program files, $windows.~bt, public, msocache, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old|
|List of excluded file names||desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log|
|List of targeted file extensions||themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu|