SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackmatter (Back to overview)

BlackMatter


Ransomware-as-a-Service

References
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-11-03Group-IBAndrey Zhdanov
@online{zhdanov:20211103:darker:fb1a211, author = {Andrey Zhdanov}, title = {{The Darker Things BlackMatter and their victims}}, date = {2021-11-03}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackmatter2}, language = {English}, urldate = {2021-11-08} } The Darker Things BlackMatter and their victims
BlackMatter
2021-11-03The RecordCatalin Cimpanu
@online{cimpanu:20211103:blackmatter:04b7414, author = {Catalin Cimpanu}, title = {{BlackMatter ransomware says its shutting down due to pressure from local authorities}}, date = {2021-11-03}, organization = {The Record}, url = {https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/}, language = {English}, urldate = {2021-11-03} } BlackMatter ransomware says its shutting down due to pressure from local authorities
BlackMatter
2021-11-03Bleeping ComputerLawrence Abrams
@online{abrams:20211103:blackmatter:5681de9, author = {Lawrence Abrams}, title = {{BlackMatter ransomware moves victims to LockBit after shutdown}}, date = {2021-11-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/}, language = {English}, urldate = {2021-11-08} } BlackMatter ransomware moves victims to LockBit after shutdown
BlackMatter BlackMatter LockBit
2021-11-02VaronisDvir Sason
@online{sason:20211102:blackmatter:f72b080, author = {Dvir Sason}, title = {{BlackMatter Ransomware: In-Depth Analysis & Recommendations}}, date = {2021-11-02}, organization = {Varonis}, url = {https://www.varonis.com/blog/blackmatter-ransomware/}, language = {English}, urldate = {2021-11-03} } BlackMatter Ransomware: In-Depth Analysis & Recommendations
BlackMatter
2021-10-22EllipticElliptic Intel
@online{intel:20211022:darkside:8c61341, author = {Elliptic Intel}, title = {{DarkSide bitcoins on the move following government cyberattack against REvil ransomware group}}, date = {2021-10-22}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group}, language = {English}, urldate = {2021-11-02} } DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22The RecordCatalin Cimpanu
@online{cimpanu:20211022:darkside:27f49ba, author = {Catalin Cimpanu}, title = {{DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement}}, date = {2021-10-22}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/}, language = {English}, urldate = {2021-11-02} } DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22Bleeping ComputerIonut Ilascu
@online{ilascu:20211022:darkside:89e4ee2, author = {Ionut Ilascu}, title = {{DarkSide ransomware rushes to cash out $7 million in Bitcoin}}, date = {2021-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/}, language = {English}, urldate = {2021-11-02} } DarkSide ransomware rushes to cash out $7 million in Bitcoin
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22Twitter (@GelosSnake)Omri Segev Moyal
@online{moyal:20211022:list:7934934, author = {Omri Segev Moyal}, title = {{Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money}}, date = {2021-10-22}, organization = {Twitter (@GelosSnake)}, url = {https://twitter.com/GelosSnake/status/1451465959894667275}, language = {English}, urldate = {2021-11-02} } Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money
BlackMatter DarkSide BlackMatter DarkSide
2021-10-20MandiantJacob Thompson
@online{thompson:20211020:hidden:c64ea48, author = {Jacob Thompson}, title = {{Hidden in Plain Sight: Identifying Cryptography in BLACKMATTER Ransomware}}, date = {2021-10-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/cryptography-blackmatter-ransomware}, language = {English}, urldate = {2021-11-02} } Hidden in Plain Sight: Identifying Cryptography in BLACKMATTER Ransomware
BlackMatter
2021-10-18CISAUS-CERT
@online{uscert:20211018:alert:5701532, author = {US-CERT}, title = {{Alert (AA21-291A): BlackMatter Ransomware}}, date = {2021-10-18}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-291a}, language = {English}, urldate = {2021-10-24} } Alert (AA21-291A): BlackMatter Ransomware
BlackMatter BlackMatter
2021-10-14YouTube (Uriel Kosayev)Uriel Kosayev
@online{kosayev:20211014:darkside:c4648ce, author = {Uriel Kosayev}, title = {{DarkSide Ransomware Reverse Engineering}}, date = {2021-10-14}, organization = {YouTube (Uriel Kosayev)}, url = {https://www.youtube.com/watch?v=NIiEcOryLpI}, language = {English}, urldate = {2021-11-02} } DarkSide Ransomware Reverse Engineering
BlackMatter DarkSide BlackMatter DarkSide
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-23BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210923:threat:e44c44f, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?}}, date = {2021-09-23}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service}, language = {English}, urldate = {2021-10-11} } Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?
BlackMatter DarkSide BlackMatter DarkSide
2021-09-22McAfeeAlexandre Mundo, Marc Elias
@online{mundo:20210922:blackmatter:75b98d9, author = {Alexandre Mundo and Marc Elias}, title = {{BlackMatter Ransomware Analysis; The Dark Side Returns}}, date = {2021-09-22}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/}, language = {English}, urldate = {2021-09-23} } BlackMatter Ransomware Analysis; The Dark Side Returns
BlackMatter
2021-09-21Nozomi NetworksNozomi Networks Labs
@online{labs:20210921:blackmatter:61b1b27, author = {Nozomi Networks Labs}, title = {{BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs}}, date = {2021-09-21}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/}, language = {English}, urldate = {2021-09-24} } BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
BlackMatter
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-08Ciper Tech SolutionsCipher Tech ACCE Team
@online{team:20210908:rapidly:d7c3f22, author = {Cipher Tech ACCE Team}, title = {{Rapidly Evolving BlackMatter Ransomware Tactics}}, date = {2021-09-08}, organization = {Ciper Tech Solutions}, url = {https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/}, language = {English}, urldate = {2021-09-09} } Rapidly Evolving BlackMatter Ransomware Tactics
BlackMatter
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-06KELAVictoria Kivilevich
@online{kivilevich:20210906:ideal:737307f, author = {Victoria Kivilevich}, title = {{The Ideal Ransomware Victim: What Attackers Are Looking For}}, date = {2021-09-06}, organization = {KELA}, url = {https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/}, language = {English}, urldate = {2021-11-02} } The Ideal Ransomware Victim: What Attackers Are Looking For
BlackMatter Cryakl
2021-09-05Chuongdong blogChuong Dong
@online{dong:20210905:blackmatter:2673021, author = {Chuong Dong}, title = {{BlackMatter Ransomware v2.0}}, date = {2021-09-05}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/}, language = {English}, urldate = {2021-09-09} } BlackMatter Ransomware v2.0
BlackMatter
2021-09-02US Department of Health and Human ServicesHealth Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20210902:demystifying:afc61dc, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Demystifying BlackMatter}}, date = {2021-09-02}, institution = {US Department of Health and Human Services}, url = {https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf}, language = {English}, urldate = {2021-11-02} } Demystifying BlackMatter
BlackMatter BlackMatter DarkSide
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-31Minerva LabsMinerva Labs
@online{labs:20210831:blackmatter:26abef6, author = {Minerva Labs}, title = {{BlackMatter - The New Star Of Ransomware}}, date = {2021-08-31}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/blackmatter}, language = {English}, urldate = {2021-09-12} } BlackMatter - The New Star Of Ransomware
BlackMatter
2021-08-23NetskopeGustavo Palazolo
@online{palazolo:20210823:netskope:356b783, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: BlackMatter}}, date = {2021-08-23}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-blackmatter}, language = {English}, urldate = {2021-08-25} } Netskope Threat Coverage: BlackMatter
BlackMatter
2021-08-09SophosMark Loman
@online{loman:20210809:blackmatter:d7606f3, author = {Mark Loman}, title = {{BlackMatter ransomware emerges from the shadow of DarkSide}}, date = {2021-08-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/}, language = {English}, urldate = {2021-08-25} } BlackMatter ransomware emerges from the shadow of DarkSide
BlackMatter BlackMatter
2021-08-06Group-IBAndrey Zhdanov
@online{zhdanov:20210806:its:e5b4483, author = {Andrey Zhdanov}, title = {{It's alive! The story behind the BlackMatter ransomware strain}}, date = {2021-08-06}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackmatter#}, language = {English}, urldate = {2021-08-09} } It's alive! The story behind the BlackMatter ransomware strain
BlackMatter DarkSide BlackMatter DarkSide
2021-08-05TesorionGijs Rijnders
@online{rijnders:20210805:analysis:6a836dd, author = {Gijs Rijnders}, title = {{Analysis of the BlackMatter ransomware}}, date = {2021-08-05}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/}, language = {English}, urldate = {2021-08-24} } Analysis of the BlackMatter ransomware
BlackMatter
2021-08-04Jan Gruber
@online{gruber:20210804:understanding:ad8ac48, author = {Jan Gruber}, title = {{Understanding BlackMatter's API Hashing}}, date = {2021-08-04}, url = {https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html}, language = {English}, urldate = {2021-08-09} } Understanding BlackMatter's API Hashing
BlackMatter
2021-08-04Recorded FutureInsikt Group®
@techreport{group:20210804:protect:283486d, author = {Insikt Group®}, title = {{Protect Against BlackMatter Ransomware Before It’s Offered}}, date = {2021-08-04}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf}, language = {English}, urldate = {2021-08-06} } Protect Against BlackMatter Ransomware Before It’s Offered
BlackMatter DarkSide
Yara Rules
[TLP:WHITE] win_blackmatter_auto (20211008 | Detects win.blackmatter.)
rule win_blackmatter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.blackmatter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4508 8b480c 0fc9 51 8b4808 0fc9 }
            // n = 6, score = 400
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b480c               | mov                 ecx, dword ptr [eax + 0xc]
            //   0fc9                 | bswap               ecx
            //   51                   | push                ecx
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   0fc9                 | bswap               ecx

        $sequence_1 = { 51 52 e8???????? b96d4ec641 f7e1 0539300000 25ffffff07 }
            // n = 7, score = 400
            //   51                   | push                ecx
            //   52                   | push                edx
            //   e8????????           |                     
            //   b96d4ec641           | mov                 ecx, 0x41c64e6d
            //   f7e1                 | mul                 ecx
            //   0539300000           | add                 eax, 0x3039
            //   25ffffff07           | and                 eax, 0x7ffffff

        $sequence_2 = { 3bc1 7527 ff75f4 ff75f8 e8???????? }
            // n = 5, score = 400
            //   3bc1                 | cmp                 eax, ecx
            //   7527                 | jne                 0x29
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     

        $sequence_3 = { eb02 eb05 49 85c9 75da 5e }
            // n = 6, score = 400
            //   eb02                 | jmp                 4
            //   eb05                 | jmp                 7
            //   49                   | dec                 ecx
            //   85c9                 | test                ecx, ecx
            //   75da                 | jne                 0xffffffdc
            //   5e                   | pop                 esi

        $sequence_4 = { ff75fc ff15???????? 8b45fc e9???????? 83c608 4b }
            // n = 6, score = 400
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   e9????????           |                     
            //   83c608               | add                 esi, 8
            //   4b                   | dec                 ebx

        $sequence_5 = { ff75ec ff75f8 ff15???????? 85c0 7402 }
            // n = 5, score = 400
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7402                 | je                  4

        $sequence_6 = { ff15???????? 85c0 7575 6a00 ff7510 ff750c ff75f4 }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   7575                 | jne                 0x77
            //   6a00                 | push                0
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_7 = { 81ec04010000 53 56 57 c745fc00000000 ff35???????? e8???????? }
            // n = 7, score = 400
            //   81ec04010000         | sub                 esp, 0x104
            //   53                   | push                ebx
            //   56                   | push                esi
            //   57                   | push                edi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ff35????????         |                     
            //   e8????????           |                     

        $sequence_8 = { 8b7138 8b793c 115030 115834 117038 11783c 8b5140 }
            // n = 7, score = 400
            //   8b7138               | mov                 esi, dword ptr [ecx + 0x38]
            //   8b793c               | mov                 edi, dword ptr [ecx + 0x3c]
            //   115030               | adc                 dword ptr [eax + 0x30], edx
            //   115834               | adc                 dword ptr [eax + 0x34], ebx
            //   117038               | adc                 dword ptr [eax + 0x38], esi
            //   11783c               | adc                 dword ptr [eax + 0x3c], edi
            //   8b5140               | mov                 edx, dword ptr [ecx + 0x40]

        $sequence_9 = { 83f905 7305 5e 5d c20400 ac }
            // n = 6, score = 400
            //   83f905               | cmp                 ecx, 5
            //   7305                 | jae                 7
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   ac                   | lodsb               al, byte ptr [esi]

    condition:
        7 of them and filesize < 194560
}
Download all Yara Rules