loader image

rThreat Adversary Spotlight: Blackmatter Ransomware

Ransomware still continues to be a popular vector for threat actors. Our current spotlight adversary is on Blackmatter Ransomware. Blackmatter was first presented on the cyber underground forums on July 21, 2021. Blackmatter is targeted at English-speaking users and can spread all over the world. The group of this ransomware and their representative on hacker forums call themselves BlackMatter.

Overview of BlackMatter Ransomware

Blackmatter is a new ransomware group that appeared and started posting on multiple cybercrime forums, namely Exploit and XSS, stating that they are looking for affiliates and partners. Specifically, for initial access brokers, individuals with access to hacked companies that can be used as an entry point into the company. They are looking for individuals with access to companies with revenues of $100 million/year or larger. The company’s network also needs to have between 500 and 15,000 hosts located in the US, UK, Canada, or Australia. Blackmatter is willing to pay up to $100,000 for exclusive access to any targets matching this description.

Lockfile Ransom

BlackMatter the Ransomware

When it comes to the ransomware itself, the group bragged that it has the capability to encrypt different operating system versions and architectures. This includes “Windows systems (via SafeMode), Linux (Ubuntu, Debian, CentOS), VMWare ESXi 5+ virtual endpoints, and network-attached storage (NAS) devices (such as Synology, OpenMediaVault, FreeNAS, and TrueNAS).”

 The execution of BlackMatter is standard for ransomware. The malware encrypts all of the company information, places a ransom note in every directory, sends information collected from the systems to the C&C server, and performs data exfiltration and any other type of action directed by the C&C server.

Security researchers have been able to do an analysis on the malware and found some useful information. Firstly, it is a GUI-based X86 architecture executable that uses only 3 libraries.

Next, they have been able to identify a number of IOCs that can be useful in blocking the malware or at least detecting it’s presence quickly:
 
Indicators of Compromise (IOCs)

 

 

Indicators

Indicator Type

Description

daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720

Hash

SHA-256

c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99

Hash

SHA-256

7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984

Hash

SHA-256

22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

Hash

SHA-256

mojobiden[.]com

URL

TA C2

paymenthacks[.]com

URL

TA C2

http:[//]supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion

TOR URL

TA Contact URL

 

BlackMatter Ransomware Dark Web Site

 Blackmatter owns and operates its own website on the dark web. Their website gives information about their illegal business’s rules, an about us page, and the leaked information of companies that refuse to pay their ransom.

 

 

Blackmatter claims that they don’t target the following companies:

  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
  • Oil and gas industry (pipelines, oil refineries).
  • Defense industry.
  • Non-profit companies.
  • Government sector.

If a company in one of these sectors is infected, they will decrypt it for free (allegedly).

 

BlackMatter Prevention Methods

With the exception of the indicators of compromise mentioned above, all prevention techniques will be standard best practices for cybersecurity.

– Strong Passwords and 2 Factor Authentication where possible

– Keep all your company software updated and fully patched

Security awareness training for employees to prevent successful phishing attacks

– Create regular backups and keep copies of them outside of the company network

– Invest in anti-malware solutions that can prevent and detect malware on the company network

 

The Importance of Continuous Security Validation

 If you really want to make sure you’re protected in the event of a ransomware attack, you need to test your cyber defenses on a continuous basis. rThreat’s breach and attack emulation platform contains a library of newly released malware that can be used to test your environment’s defenses for those malware variants before you are attacked. Right now, rThreat has BlackMatter variants in our library for testing purposes that can help ensure you’re protected from this type of ransomware. Our platform not only validates the effectiveness of security tools and processes, but it can also be used to run drills with your security team so they’re trained on how to rapidly detect and respond to this type of ransomware attack. If you would like to try a demo of rThreat’s solution, contact our team here.

 

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.