loader image

rThreat Adversary Spotlight: Blackmatter Ransomware

Ransomware still continues to be a popular vector for threat actors. Our current spotlight adversary is on Blackmatter Ransomware. Blackmatter was first presented on the cyber underground forums on July 21, 2021. Blackmatter is targeted at English-speaking users and can spread all over the world. The group of this ransomware and their representative on hacker forums call themselves BlackMatter.

Overview of BlackMatter Ransomware

Blackmatter is a new ransomware group that appeared and started posting on multiple cybercrime forums, namely Exploit and XSS, stating that they are looking for affiliates and partners. Specifically, for initial access brokers, individuals with access to hacked companies that can be used as an entry point into the company. They are looking for individuals with access to companies with revenues of $100 million/year or larger. The company’s network also needs to have between 500 and 15,000 hosts located in the US, UK, Canada, or Australia. Blackmatter is willing to pay up to $100,000 for exclusive access to any targets matching this description.

Lockfile Ransom

BlackMatter the Ransomware

When it comes to the ransomware itself, the group bragged that it has the capability to encrypt different operating system versions and architectures. This includes “Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices (such as Synology, OpenMediaVault, FreeNAS, and TrueNAS).”

 The execution of BlackMatter is standard for ransomware. The malware encrypts all of the company information, places a ransom note in every directory, sends information collected from the systems to the C&C server, and performs data exfiltration and any other type of action directed by the C&C server.

Security researchers have been able to do an analysis on the malware and found some useful information. Firstly, it is a GUI-based X86 architecture executable that uses only 3 libraries.

Next, they have been able to identify a number of IOCs that can be useful in blocking the malware or at least detecting it’s presence quickly:
Indicators of Compromise (IOCs)




Indicator Type






















TA Contact URL


BlackMatter Ransomware Dark Web Site

 Blackmatter owns and operates its own website on the dark web. Their website gives information about their illegal business’s rules, an about us page, and the leaked information of companies that refuse to pay their ransom.



Blackmatter claims that they don’t target the following companies:

  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
  • Oil and gas industry (pipelines, oil refineries).
  • Defense industry.
  • Non-profit companies.
  • Government sector.

If a company in one of these sectors is infected, they will decrypt it for free (allegedly).


BlackMatter Prevention Methods

With the exception of the indicators of compromise mentioned above, all prevention techniques will be standard best practices for cybersecurity.

– Strong Passwords and 2 Factor Authentication where possible

– Keep all your company software updated and fully patched

Security awareness training for employees to prevent successful phishing attacks

– Create regular backups and keep copies of them outside of the company network

– Invest in anti-malware solutions that can prevent and detect malware on the company network


The Importance of Continuous Security Validation

 If you really want to make sure you’re protected in the event of a ransomware attack, you need to test your cyber defenses on a continuous basis. rThreat’s breach and attack emulation platform contains a library of newly released malware that can be used to test your environment’s defenses for those malware variants before you are attacked. Right now, rThreat has BlackMatter variants in our library for testing purposes that can help ensure you’re protected from this type of ransomware. Our platform not only validates the effectiveness of security tools and processes, but it can also be used to run drills with your security team so they’re trained on how to rapidly detect and respond to this type of ransomware attack. If you would like to try a demo of rThreat’s solution, contact our team here.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.