Exfiltration
- PrivatLab
BlackMatter is a ransomware-as-a-service (RaaS) operation that emerged in late July 2021 after the apparent shutdown of DarkSide and REvil.
Profile source: Mallory opens in a new tabBLACKMATTER
BlackMatter is a ransomware-as-a-service (RaaS) operation that emerged in late July 2021 after the apparent shutdown of DarkSide and REvil. Multiple sources link it to the former DarkSide ecosystem: Microsoft states ELBRUS/FIN7 released BlackMatter in July 2021 as DarkSide’s successor and retired it in November 2021, while Sophos assessed BlackMatter shows multiple technical connections to DarkSide but is not simply identical code or a direct rebrand. BlackMatter has also been discussed in reporting about later ransomware lineages, including overlaps with LockBit 3.0/LockBit Black and ALPHV/BlackCat, and ExMatter is identified as BlackMatter’s custom data-exfiltration tool.
BlackMatter is a double-extortion ransomware family. Reported campaigns involved both file encryption and exfiltration of victim data, with ransom demands backed by threats to delete or publicly expose stolen information. Splunk content states BlackMatter campaigns targeted healthcare and other vertical sectors, citing an HHS bulletin. BlackMatter has also been listed among ransomware families observed targeting VMware ESXi environments.
Technically, BlackMatter uses in-place, multithreaded, partial file encryption and renames files before encryption. Sophos reported that it appends a decryption blob to the end of encrypted files, sets a ransom wallpaper very similar to DarkSide’s, uses runtime API resolution and runtime string decryption, and changes file DACLs to grant Everyone full access before encryption. The analyzed sample collected victim host details and sent them to a remote server hosted on paymenthacks.com. BlackMatter supports Safe Mode encryption via the -safe switch and can enable the built-in local Administrator account, configure AutoAdminLogon, set RunOnce registry entries, and use bcdedit to reboot into Safe Mode with Networking before encrypting files; afterward it removes the safeboot setting and restarts the machine. It also uses the elevated COM object Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} for UAC bypass. Splunk detections and attack simulations further associate BlackMatter with AutoAdminLogon registry modification, DefaultUserName/DefaultPassword registry additions under Winlogon, bcdedit-based Safe Mode boot changes, return-to-normal boot changes, wallpaper modification, stopping security and backup services, and schcache access caused by creation of an ADSI object for an LDAP query.
Observed deployment tradecraft includes execution via a scheduled task that runs a PowerShell script from a domain-accessible UNC path, with the ransomware binary base64-encoded inside the script. Cisco Talos compared a September 2021 BlackMatter intrusion with a later BlackCat intrusion and found BlackMatter operators using GOST for reverse SSH tunneling, scheduled tasks for persistence, LSASS dumping via comsvcs.dll minidump through rundll32, lateral movement via Impacket wmiexec, WinRM/PowerShell, RDP, and PsExec/RemCom, firewall changes to permit inbound TCP 5985, Group Policy-based domain-wide deployment using apply.ps1 and gpupdate /force, and execution of ransomware binaries from the domain controller’s NETLOGON share. Talos also noted a BlackMatter attack may have involved exploitation of Microsoft Exchange vulnerabilities, though with low confidence.
BlackMatter is associated in the provided content with ELBRUS/FIN7 and the post-DarkSide ransomware ecosystem. Reporting also notes likely connections between RAMP forum members and BlackMatter, and later reporting on ALPHV/BlackCat describes overlaps with the now-defunct BlackMatter family. High-confidence indicators directly mentioned in the content include the Sophos-analyzed sample SHA-256 22D7D67C3AF10B1A37F277EBABE2D1EB4FD25AFBD6437D4377400E148BCC08D6, the paymenthacks.com server used by that sample for host-information transmission, and Talos infrastructure including the domain windows[.]menu and IPs 52.149.228[.]45 and 20.46.245[.]56 observed in related intrusion activity.
Ransomware.live
Reported operators
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021.
MITRE ATT&CK
Reporting
GG recommended looking into Darkside/Blackmatter/BlackCat ESXi locker(s), praising its quality and admin panel.
This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption.
Associated Analytic Story BlackMatter Ransomware
This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes.
This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption.
This activity is significant because it is associated with BlackMatter ransomware, which uses this technique to automatically log on to compromised hosts and continue encryption after a safe mode boot.
Associated Analytic Story BlackMatter Ransomware
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.