BlackMatter Ransomware Detection

October 28, 2021 · 4 min read
BlackMatter ransomware

BlackMatter ransomware is on the rise, hitting high-profile targets across the US, Europe, and Asia. Being an off-spring of the infamous DarkSide hacking collective, BlackMatter adopted the most prolific tactics from its predecessor to crash into the big ransomware game during July 2021. The joint advisory by CISA, FBI, and NSA attributes multiple attacks against U.S. critical infrastructure assets to BlackMatter. Also, security experts point that the BlackMatter ransomware group could have been involved in the ground-breaking Colonial Pipeline hack.

BlackMatter Ransomware

First spotted in July 2021, BlackMatter is a new Ransomware-as-a-Service (RaaS) ring hunting for heavyweight profits. Despite being a new player in the malicious arena, BlackMatter has already targeted numerous big-name organizations, including two U.S. Food and Agriculture Sector organizations as well as the European operations of Japanese optical technology giant Olympus. The ransom demands range from $80,000 to $15,000,000 in Bitcoin and Monero, proving that BlackMatter is hitting hard and striving big.

To add to BlackMatter’s notoriety, ransomware maintainers support the double extortion trend. Hackers not only encrypt sensitive data during the attack but also steal confidential details. As a result, companies are pushed to pay the ransom to prevent data leaks.

Security experts believe that BlackMatter could be a rebrand of the notorious DarkSide group due to significant code and techniques overlaps observed during malware analysis. Yet, BlackMatter maintainers claim to be an independent group of developers who adopted the best approaches of other malware like GandCrab, LockBit, and DarkSide

Attack Kill Chain

According to CISA, BlackMatter leverages embedded admin or user credentials for the initial compromise. Particularly, the embedded creds in the LDAP and SMB protocol are used to discover all hosts in the Active Directory (AD) and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Then, BlackMatter remotely encrypts all accessible shares’ data from the initially compromised host, including ADMIN$, C$, SYSVOL, and NETLOGON.

Furthermore, BlackMatter was identified to be successful in attacks against Linux and ESXi virtual machines. The threat uses a separate encryption binary, and rather than encrypting backup systems, adversaries wipe or reformat backup data stores and appliances.

Notably, in October 2021, cybersecurity firm Emisfoft revealed a major bug in BlackMatter code which allowed researchers to produce a decryptor for BlackMatter ransomware victims. Emisoft has immediately alerted law enforcement, CERTS, and trusted partners so they can help organizations restore data for free without paying the ransom. However, BlackMatter maintainers learned of the bug at the end of September 2021 and fixed it promptly. Therefore, the existing decryptor works only for victims that suffered an attack before September 2021.

Detecting BlackMatter Ransomware

To protect your company infrastructure from possible BlackMatter infections, you can download a set of Sigma rules developed by our seasoned Threat Bounty developers. 

BlackMatter Ransomware of DarkSide Registry Detect

BlackMatter Technique by Registry Modification to Implement Admin Logon

BlackMatter Technique by Using Bcdedit Command Back To Normal Mode Boot

BlackMatter Ransomware (via registry_event)

Detect Blackmatter, Use LDAP Queries to Access the Schcache Folder

Also, we recommend you inspect the Industry Guidelines: Defending Against Ransomware Attacks in 2021 provided by Vlad Garaschenko, CISO at SOC Prime. These guidelines cover best practices for ransomware defense and offer the latest detections against ransomware attacks to help the leading MSPs and organizations in various sectors proactively withstand industry-specific intrusions. 

Explore the world’s first platform for collaborative cyber defense, threat hunting and discovery to boost threat detection capabilities and defend against attacks easier, faster and more efficiently. Eager to craft your own Sigma and YARA rules to make the world a safer place? Join our Threat Bounty Program to get recurrent rewards for your valuable input!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts