BlackMatter (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.blackmatter (Back to overview)

BlackMatter

VTCollection

According to PCrisk, BlackMatter is a piece of malicious software categorized as ransomware. It operates by encrypting data for the purpose of making ransom demands for the decryption tools. In other words, files affected by BlackMatter are rendered inaccessible, and victims are asked to pay - to recover access to their data.

During the encryption process, files are appended with an extension consisting of a random character string. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg.k5RO9fVOl". After this process is complete, the ransomware changes the desktop wallpaper and created a ransom note - "[random_string].README.txt" (e.g., k5RO9fVOl.README.txt).

References

2024-06-05 ⋅ S-RM ⋅ David Broom, Gavin Hull
Exmatter malware levels up: S-RM observes new variant with simultaneous remote code execution and data targeting
BlackCat BlackMatter Conti ExMatter LockBit REvil Ryuk

2022-09-22 ⋅ Broadcom ⋅ Symantec Threat Hunter Team
Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide

2022-08-02 ⋅ Recorded Future ⋅ Insikt Group
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar

2022-07-25 ⋅ Trend Micro ⋅ Byron Gelera, Ieriz Nicolle Gonzalez, Ivan Nicole Chavez, Katherine Casona, Nathaniel Gregory Ragasa, Nathaniel Morales
LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
BlackMatter LockBit

2022-07-13 ⋅ ⋅ GLIMPS ⋅ GLIMPS
Lockbit 3.0
BlackMatter DarkSide LockBit

2022-05-09 ⋅ Microsoft Security ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-27 ⋅ ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-13 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team
Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader

2022-04-08 ⋅ The Hacker News ⋅ Ravie Lakshmanan
Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter

2022-03-24 ⋅ SentinelOne ⋅ Antonio Cocomazzi
Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-22 ⋅ The Register ⋅ Jeff Burt
This is a BlackCat you don't want crossing your path
BlackCat BlackMatter

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2022-03-17 ⋅ Cisco ⋅ Caitlin Huey, Tiago Pereira
From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-03-01 ⋅ VirusTotal ⋅ VirusTotal
VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-01-19 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk

2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX

2021-12-10 ⋅ Medium s2wlab ⋅ S2W TALON
BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration
BlackCat BlackMatter

2021-11-24 ⋅ Google ⋅ Google Cybersecurity Action Team, Google Threat Analysis Group
Threat Horizons Cloud Threat Intelligence November 2021. Issue 1
BlackMatter

2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader

2021-11-03 ⋅ Group-IB ⋅ Andrey Zhdanov
The Darker Things BlackMatter and their victims
BlackMatter DarkSide BlackMatter DarkSide

2021-11-03 ⋅ Bleeping Computer ⋅ Lawrence Abrams
BlackMatter ransomware moves victims to LockBit after shutdown
BlackMatter BlackMatter LockBit

2021-11-03 ⋅ The Record ⋅ Catalin Cimpanu
BlackMatter ransomware says its shutting down due to pressure from local authorities
BlackMatter

2021-11-02 ⋅ Varonis ⋅ Dvir Sason
BlackMatter Ransomware: In-Depth Analysis & Recommendations
BlackMatter

2021-10-22 ⋅ Elliptic ⋅ Elliptic Intel
DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
BlackMatter DarkSide BlackMatter DarkSide

2021-10-22 ⋅ The Record ⋅ Catalin Cimpanu
DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement
BlackMatter DarkSide BlackMatter DarkSide

2021-10-22 ⋅ Bleeping Computer ⋅ Ionut Ilascu
DarkSide ransomware rushes to cash out $7 million in Bitcoin
BlackMatter DarkSide BlackMatter DarkSide

2021-10-22 ⋅ Twitter (@GelosSnake) ⋅ Omri Segev Moyal
Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money
BlackMatter DarkSide BlackMatter DarkSide

2021-10-20 ⋅ Mandiant ⋅ Jacob Thompson
Hidden in Plain Sight: Identifying Cryptography in BLACKMATTER Ransomware
BlackMatter

2021-10-18 ⋅ CISA ⋅ US-CERT
Alert (AA21-291A): BlackMatter Ransomware
BlackMatter BlackMatter

2021-10-14 ⋅ YouTube (Uriel Kosayev) ⋅ Uriel Kosayev
DarkSide Ransomware Reverse Engineering
BlackMatter DarkSide BlackMatter DarkSide

2021-10-12 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil

2021-09-23 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?
BlackMatter DarkSide BlackMatter DarkSide

2021-09-22 ⋅ McAfee ⋅ Alexandre Mundo, Marc Elias
BlackMatter Ransomware Analysis; The Dark Side Returns
BlackMatter

2021-09-21 ⋅ Nozomi Networks ⋅ Nozomi Networks Labs
BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
BlackMatter

2021-09-14 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil

2021-09-10 ⋅ S2W LAB Inc. ⋅ S2W TALON
Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter

2021-09-08 ⋅ Ciper Tech Solutions ⋅ Cipher Tech ACCE Team
Rapidly Evolving BlackMatter Ransomware Tactics
BlackMatter

2021-09-08 ⋅ Medium s2wlab ⋅ S2W TALON
Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter

2021-09-08 ⋅ McAfee ⋅ John Fokker, Max Kersten, Thibault Seret
How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker

2021-09-06 ⋅ KELA ⋅ Victoria Kivilevich
The Ideal Ransomware Victim: What Attackers Are Looking For
BlackMatter Cryakl

2021-09-05 ⋅ Chuongdong blog ⋅ Chuong Dong
BlackMatter Ransomware v2.0
BlackMatter

2021-09-02 ⋅ US Department of Health and Human Services ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Demystifying BlackMatter
BlackMatter BlackMatter DarkSide

2021-09-01 ⋅ Medium s2wlab ⋅ Chaewon Moon, Denise Dasom Kim, Jungyeon Lim, S2W LAB INTELLIGENCE TEAM, Sujin Lim, Yeonghyeon Jeong
BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter

2021-08-31 ⋅ Minerva Labs ⋅ Minerva Labs
BlackMatter - The New Star Of Ransomware
BlackMatter

2021-08-23 ⋅ Netskope ⋅ Gustavo Palazolo
Netskope Threat Coverage: BlackMatter
BlackMatter

2021-08-15 ⋅ Symantec ⋅ Threat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker

2021-08-09 ⋅ Sophos ⋅ Mark Loman
BlackMatter ransomware emerges from the shadow of DarkSide
BlackMatter BlackMatter

2021-08-06 ⋅ Group-IB ⋅ Andrey Zhdanov
It's alive! The story behind the BlackMatter ransomware strain
BlackMatter DarkSide BlackMatter DarkSide

2021-08-05 ⋅ Tesorion ⋅ Gijs Rijnders
Analysis of the BlackMatter ransomware
BlackMatter

2021-08-04 ⋅ Recorded Future ⋅ Insikt Group®
Protect Against BlackMatter Ransomware Before It’s Offered
BlackMatter DarkSide

2021-08-04 ⋅ Jan Gruber
Understanding BlackMatter's API Hashing
BlackMatter

Yara Rules

[TLP:WHITE] win_blackmatter_auto (20241030 | Detects win.blackmatter.)

rule win_blackmatter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.blackmatter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f803 7409 83f802 0f857c010000 e8???????? 83f83d }
            // n = 6, score = 400
            //   83f803               | cmp                 eax, 3
            //   7409                 | je                  0xb
            //   83f802               | cmp                 eax, 2
            //   0f857c010000         | jne                 0x182
            //   e8????????           |                     
            //   83f83d               | cmp                 eax, 0x3d

        $sequence_1 = { c20400 55 8bec 83c4f0 53 c745fc00000000 c745f800000000 }
            // n = 7, score = 400
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83c4f0               | add                 esp, -0x10
            //   53                   | push                ebx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0

        $sequence_2 = { 837dd800 7505 e9???????? 68???????? e8???????? }
            // n = 5, score = 400
            //   837dd800             | cmp                 dword ptr [ebp - 0x28], 0
            //   7505                 | jne                 7
            //   e9????????           |                     
            //   68????????           |                     
            //   e8????????           |                     

        $sequence_3 = { 75df 8bc2 5e 5a 5d }
            // n = 5, score = 400
            //   75df                 | jne                 0xffffffe1
            //   8bc2                 | mov                 eax, edx
            //   5e                   | pop                 esi
            //   5a                   | pop                 edx
            //   5d                   | pop                 ebp

        $sequence_4 = { 8945f0 837df000 0f8491000000 ff75f4 ff75f0 }
            // n = 5, score = 400
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   837df000             | cmp                 dword ptr [ebp - 0x10], 0
            //   0f8491000000         | je                  0x97
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff75f0               | push                dword ptr [ebp - 0x10]

        $sequence_5 = { 50 8d4302 50 e8???????? a3???????? 6a40 8d85fcfeffff }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8d4302               | lea                 eax, [ebx + 2]
            //   50                   | push                eax
            //   e8????????           |                     
            //   a3????????           |                     
            //   6a40                 | push                0x40
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]

        $sequence_6 = { 7429 8d85f8feffff 50 ff15???????? 85c0 }
            // n = 5, score = 400
            //   7429                 | je                  0x2b
            //   8d85f8feffff         | lea                 eax, [ebp - 0x108]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_7 = { 72df 807d085a 77df b802000000 5d c20400 55 }
            // n = 7, score = 400
            //   72df                 | jb                  0xffffffe1
            //   807d085a             | cmp                 byte ptr [ebp + 8], 0x5a
            //   77df                 | ja                  0xffffffe1
            //   b802000000           | mov                 eax, 2
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp

        $sequence_8 = { 6a00 ff15???????? 8945f0 ff75f4 }
            // n = 4, score = 400
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_9 = { f7f1 92 3b4508 720b 3b450c }
            // n = 5, score = 400
            //   f7f1                 | div                 ecx
            //   92                   | xchg                eax, edx
            //   3b4508               | cmp                 eax, dword ptr [ebp + 8]
            //   720b                 | jb                  0xd
            //   3b450c               | cmp                 eax, dword ptr [ebp + 0xc]

    condition:
        7 of them and filesize < 194560
}

Download all Yara Rules

BlackMatter Propose Change

References

Yara Rules

BlackMatter