SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blackmatter (Back to overview)

BlackMatter


Ransomware-as-a-Service

References
2022-09-22BroadcomSymantec Threat Hunter Team
@online{team:20220922:noberus:fc868b9, author = {Symantec Threat Hunter Team}, title = {{Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics}}, date = {2022-09-22}, organization = {Broadcom}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps}, language = {English}, urldate = {2022-09-26} } Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics
BlackCat BlackMatter DarkSide
2022-08-02Recorded FutureInsikt Group
@techreport{group:20220802:initial:5caddb5, author = {Insikt Group}, title = {{Initial Access Brokers Are Key to Rise in Ransomware Attacks}}, date = {2022-08-02}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf}, language = {English}, urldate = {2022-08-05} } Initial Access Brokers Are Key to Rise in Ransomware Attacks
Azorult BlackMatter Conti Mars Stealer Raccoon RedLine Stealer Taurus Stealer Vidar
2022-07-25Trend MicroIvan Nicole Chavez, Byron Gelera, Katherine Casona, Nathaniel Morales, Ieriz Nicolle Gonzalez, Nathaniel Gregory Ragasa
@online{chavez:20220725:lockbit:a660282, author = {Ivan Nicole Chavez and Byron Gelera and Katherine Casona and Nathaniel Morales and Ieriz Nicolle Gonzalez and Nathaniel Gregory Ragasa}, title = {{LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities}}, date = {2022-07-25}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/g/lockbit-ransomware-group-augments-its-latest-variant--lockbit-3-.html}, language = {English}, urldate = {2022-08-11} } LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities
BlackMatter LockBit
2022-07-13GLIMPSGLIMPS
@online{glimps:20220713:lockbit:c4e0803, author = {GLIMPS}, title = {{Lockbit 3.0}}, date = {2022-07-13}, organization = {GLIMPS}, url = {https://www.glimps.fr/lockbit3-0/}, language = {French}, urldate = {2022-07-18} } Lockbit 3.0
BlackMatter DarkSide LockBit
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-05-09Microsoft SecurityMicrosoft Threat Intelligence Center, Microsoft 365 Defender Threat Intelligence Team
@online{center:20220509:ransomwareasaservice:3dac44d, author = {Microsoft Threat Intelligence Center and Microsoft 365 Defender Threat Intelligence Team}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft Security}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/}, language = {English}, urldate = {2022-06-02} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
Griffon BazarBackdoor BlackCat BlackMatter Blister Gozi LockBit Pandora Rook SystemBC TrickBot
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-13MicrosoftMicrosoft 365 Defender Threat Intelligence Team
@online{team:20220413:dismantling:ace8546, author = {Microsoft 365 Defender Threat Intelligence Team}, title = {{Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware}}, date = {2022-04-13}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/04/13/dismantling-zloader-how-malicious-ads-led-to-disabled-security-tools-and-ransomware/}, language = {English}, urldate = {2022-04-14} } Dismantling ZLoader: How malicious ads led to disabled security tools and ransomware
BlackMatter Cobalt Strike DarkSide Ryuk Zloader
2022-04-08The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20220408:researchers:245d67d, author = {Ravie Lakshmanan}, title = {{Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity}}, date = {2022-04-08}, organization = {The Hacker News}, url = {https://thehackernews.com/2022/04/researchers-connect-blackcat-ransomware.html}, language = {English}, urldate = {2022-04-12} } Researchers Connect BlackCat Ransomware with Past BlackMatter Malware Activity
BlackCat BlackMatter BlackCat BlackMatter
2022-03-24SentinelOneAntonio Cocomazzi
@techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-22The RegisterJeff Burt
@online{burt:20220322:this:2834162, author = {Jeff Burt}, title = {{This is a BlackCat you don't want crossing your path}}, date = {2022-03-22}, organization = {The Register}, url = {https://www.theregister.com/2022/03/22/talos-ransomware-blackcat/}, language = {English}, urldate = {2022-03-23} } This is a BlackCat you don't want crossing your path
BlackCat BlackMatter
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2022-03-17CiscoTiago Pereira, Caitlin Huey
@online{pereira:20220317:from:592c847, author = {Tiago Pereira and Caitlin Huey}, title = {{From BlackMatter to BlackCat: Analyzing two attacks from one affiliate}}, date = {2022-03-17}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html}, language = {English}, urldate = {2022-03-18} } From BlackMatter to BlackCat: Analyzing two attacks from one affiliate
BlackCat BlackMatter BlackCat BlackMatter
2022-03-16SymantecSymantec Threat Hunter Team
@techreport{team:20220316:ransomware:1c2a72a, author = {Symantec Threat Hunter Team}, title = {{The Ransomware Threat Landscape: What to Expect in 2022}}, date = {2022-03-16}, institution = {Symantec}, url = {https://www.symantec.broadcom.com/hubfs/SED/SED_Threat_Hunter_Reports_Alerts/SED_FY22Q2_SES_Ransomware-Threat-Landscape_WP.pdf}, language = {English}, urldate = {2022-03-22} } The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-03VirusTotalVirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1, author = {VirusTotal}, title = {{VirusTotal's 2021 Malware Trends Report}}, date = {2022-03}, institution = {VirusTotal}, url = {https://assets.virustotal.com/reports/2021trends.pdf}, language = {English}, urldate = {2022-04-13} } VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-01-19MandiantAdrian Sanchez Hernandez, Paul Tarter, Ervin James Ocampo
@online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2022-01-19BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220119:kraken:5b52d17, author = {The BlackBerry Research & Intelligence Team}, title = {{Kraken the Code on Prometheus}}, date = {2022-01-19}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus}, language = {English}, urldate = {2022-05-25} } Kraken the Code on Prometheus
Prometheus Backdoor BlackMatter Cerber Cobalt Strike DCRat Ficker Stealer QakBot REvil Ryuk
2021-12-10Medium s2wlabS2W TALON
@online{talon:20211210:blackcat:2ec3ecf, author = {S2W TALON}, title = {{BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration}}, date = {2021-12-10}, organization = {Medium s2wlab}, url = {https://medium.com/s2wblog/blackcat-new-rust-based-ransomware-borrowing-blackmatters-configuration-31c8d330a809}, language = {English}, urldate = {2022-01-06} } BlackCat: New Rust based ransomware borrowing BlackMatter’s configuration
BlackCat BlackMatter
2021-11-24GoogleGoogle Cybersecurity Action Team, Google Threat Analysis Group
@techreport{team:20211124:threat:a837017, author = {Google Cybersecurity Action Team and Google Threat Analysis Group}, title = {{Threat Horizons Cloud Threat Intelligence November 2021. Issue 1}}, date = {2021-11-24}, institution = {Google}, url = {https://services.google.com/fh/files/misc/gcat_threathorizons_full_nov2021.pdf}, language = {English}, urldate = {2021-11-29} } Threat Horizons Cloud Threat Intelligence November 2021. Issue 1
BlackMatter
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-11-03The RecordCatalin Cimpanu
@online{cimpanu:20211103:blackmatter:04b7414, author = {Catalin Cimpanu}, title = {{BlackMatter ransomware says its shutting down due to pressure from local authorities}}, date = {2021-11-03}, organization = {The Record}, url = {https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/}, language = {English}, urldate = {2021-11-03} } BlackMatter ransomware says its shutting down due to pressure from local authorities
BlackMatter
2021-11-03Bleeping ComputerLawrence Abrams
@online{abrams:20211103:blackmatter:5681de9, author = {Lawrence Abrams}, title = {{BlackMatter ransomware moves victims to LockBit after shutdown}}, date = {2021-11-03}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/}, language = {English}, urldate = {2021-11-08} } BlackMatter ransomware moves victims to LockBit after shutdown
BlackMatter BlackMatter LockBit
2021-11-03Group-IBAndrey Zhdanov
@online{zhdanov:20211103:darker:fb1a211, author = {Andrey Zhdanov}, title = {{The Darker Things BlackMatter and their victims}}, date = {2021-11-03}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackmatter2}, language = {English}, urldate = {2022-01-25} } The Darker Things BlackMatter and their victims
BlackMatter DarkSide BlackMatter DarkSide
2021-11-02VaronisDvir Sason
@online{sason:20211102:blackmatter:f72b080, author = {Dvir Sason}, title = {{BlackMatter Ransomware: In-Depth Analysis & Recommendations}}, date = {2021-11-02}, organization = {Varonis}, url = {https://www.varonis.com/blog/blackmatter-ransomware/}, language = {English}, urldate = {2021-11-03} } BlackMatter Ransomware: In-Depth Analysis & Recommendations
BlackMatter
2021-10-22Bleeping ComputerIonut Ilascu
@online{ilascu:20211022:darkside:89e4ee2, author = {Ionut Ilascu}, title = {{DarkSide ransomware rushes to cash out $7 million in Bitcoin}}, date = {2021-10-22}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/darkside-ransomware-rushes-to-cash-out-7-million-in-bitcoin/}, language = {English}, urldate = {2021-11-02} } DarkSide ransomware rushes to cash out $7 million in Bitcoin
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22EllipticElliptic Intel
@online{intel:20211022:darkside:8c61341, author = {Elliptic Intel}, title = {{DarkSide bitcoins on the move following government cyberattack against REvil ransomware group}}, date = {2021-10-22}, organization = {Elliptic}, url = {https://www.elliptic.co/blog/darkside-bitcoins-on-the-move-following-government-cyberattack-against-revil-ransomware-group}, language = {English}, urldate = {2021-11-02} } DarkSide bitcoins on the move following government cyberattack against REvil ransomware group
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22The RecordCatalin Cimpanu
@online{cimpanu:20211022:darkside:27f49ba, author = {Catalin Cimpanu}, title = {{DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement}}, date = {2021-10-22}, organization = {The Record}, url = {https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/}, language = {English}, urldate = {2021-11-02} } DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement
BlackMatter DarkSide BlackMatter DarkSide
2021-10-22Twitter (@GelosSnake)Omri Segev Moyal
@online{moyal:20211022:list:7934934, author = {Omri Segev Moyal}, title = {{Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money}}, date = {2021-10-22}, organization = {Twitter (@GelosSnake)}, url = {https://twitter.com/GelosSnake/status/1451465959894667275}, language = {English}, urldate = {2021-11-02} } Tweet on List of wallets used by Darkside/Blackmatter Operator to split out the money
BlackMatter DarkSide BlackMatter DarkSide
2021-10-20MandiantJacob Thompson
@online{thompson:20211020:hidden:c64ea48, author = {Jacob Thompson}, title = {{Hidden in Plain Sight: Identifying Cryptography in BLACKMATTER Ransomware}}, date = {2021-10-20}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/cryptography-blackmatter-ransomware}, language = {English}, urldate = {2021-11-02} } Hidden in Plain Sight: Identifying Cryptography in BLACKMATTER Ransomware
BlackMatter
2021-10-18CISAUS-CERT
@online{uscert:20211018:alert:5701532, author = {US-CERT}, title = {{Alert (AA21-291A): BlackMatter Ransomware}}, date = {2021-10-18}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/alerts/aa21-291a}, language = {English}, urldate = {2021-10-24} } Alert (AA21-291A): BlackMatter Ransomware
BlackMatter BlackMatter
2021-10-14YouTube (Uriel Kosayev)Uriel Kosayev
@online{kosayev:20211014:darkside:c4648ce, author = {Uriel Kosayev}, title = {{DarkSide Ransomware Reverse Engineering}}, date = {2021-10-14}, organization = {YouTube (Uriel Kosayev)}, url = {https://www.youtube.com/watch?v=NIiEcOryLpI}, language = {English}, urldate = {2021-11-02} } DarkSide Ransomware Reverse Engineering
BlackMatter DarkSide BlackMatter DarkSide
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-09-23BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20210923:threat:e44c44f, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?}}, date = {2021-09-23}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service}, language = {English}, urldate = {2021-10-11} } Threat Thursday: BlackMatter RaaS - Darker Than DarkSide?
BlackMatter DarkSide BlackMatter DarkSide
2021-09-22McAfeeAlexandre Mundo, Marc Elias
@online{mundo:20210922:blackmatter:75b98d9, author = {Alexandre Mundo and Marc Elias}, title = {{BlackMatter Ransomware Analysis; The Dark Side Returns}}, date = {2021-09-22}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/}, language = {English}, urldate = {2021-09-23} } BlackMatter Ransomware Analysis; The Dark Side Returns
BlackMatter
2021-09-21Nozomi NetworksNozomi Networks Labs
@online{labs:20210921:blackmatter:61b1b27, author = {Nozomi Networks Labs}, title = {{BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs}}, date = {2021-09-21}, organization = {Nozomi Networks}, url = {https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/}, language = {English}, urldate = {2021-09-24} } BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs
BlackMatter
2021-09-14CrowdStrikeCrowdStrike Intelligence Team
@online{team:20210914:big:b345561, author = {CrowdStrike Intelligence Team}, title = {{Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack}}, date = {2021-09-14}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/}, language = {English}, urldate = {2021-09-19} } Big Game Hunting TTPs Continue to Shift After DarkSide Pipeline Attack
BlackMatter DarkSide REvil Avaddon BlackMatter Clop Conti CryptoLocker DarkSide DoppelPaymer Hades REvil
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-08Ciper Tech SolutionsCipher Tech ACCE Team
@online{team:20210908:rapidly:d7c3f22, author = {Cipher Tech ACCE Team}, title = {{Rapidly Evolving BlackMatter Ransomware Tactics}}, date = {2021-09-08}, organization = {Ciper Tech Solutions}, url = {https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/}, language = {English}, urldate = {2021-09-09} } Rapidly Evolving BlackMatter Ransomware Tactics
BlackMatter
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-06KELAVictoria Kivilevich
@online{kivilevich:20210906:ideal:737307f, author = {Victoria Kivilevich}, title = {{The Ideal Ransomware Victim: What Attackers Are Looking For}}, date = {2021-09-06}, organization = {KELA}, url = {https://ke-la.com/the-ideal-ransomware-victim-what-attackers-are-looking-for/}, language = {English}, urldate = {2021-11-02} } The Ideal Ransomware Victim: What Attackers Are Looking For
BlackMatter Cryakl
2021-09-05Chuongdong blogChuong Dong
@online{dong:20210905:blackmatter:2673021, author = {Chuong Dong}, title = {{BlackMatter Ransomware v2.0}}, date = {2021-09-05}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/}, language = {English}, urldate = {2021-09-09} } BlackMatter Ransomware v2.0
BlackMatter
2021-09-02US Department of Health and Human ServicesHealth Sector Cybersecurity Coordination Center (HC3)
@techreport{hc3:20210902:demystifying:afc61dc, author = {Health Sector Cybersecurity Coordination Center (HC3)}, title = {{Demystifying BlackMatter}}, date = {2021-09-02}, institution = {US Department of Health and Human Services}, url = {https://www.hhs.gov/sites/default/files/demystifying-blackmatter.pdf}, language = {English}, urldate = {2021-11-02} } Demystifying BlackMatter
BlackMatter BlackMatter DarkSide
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-31Minerva LabsMinerva Labs
@online{labs:20210831:blackmatter:26abef6, author = {Minerva Labs}, title = {{BlackMatter - The New Star Of Ransomware}}, date = {2021-08-31}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/blackmatter}, language = {English}, urldate = {2021-09-12} } BlackMatter - The New Star Of Ransomware
BlackMatter
2021-08-23NetskopeGustavo Palazolo
@online{palazolo:20210823:netskope:356b783, author = {Gustavo Palazolo}, title = {{Netskope Threat Coverage: BlackMatter}}, date = {2021-08-23}, organization = {Netskope}, url = {https://www.netskope.com/blog/netskope-threat-coverage-blackmatter}, language = {English}, urldate = {2021-08-25} } Netskope Threat Coverage: BlackMatter
BlackMatter
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-09SophosMark Loman
@online{loman:20210809:blackmatter:d7606f3, author = {Mark Loman}, title = {{BlackMatter ransomware emerges from the shadow of DarkSide}}, date = {2021-08-09}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/}, language = {English}, urldate = {2021-08-25} } BlackMatter ransomware emerges from the shadow of DarkSide
BlackMatter BlackMatter
2021-08-06Group-IBAndrey Zhdanov
@online{zhdanov:20210806:its:e5b4483, author = {Andrey Zhdanov}, title = {{It's alive! The story behind the BlackMatter ransomware strain}}, date = {2021-08-06}, organization = {Group-IB}, url = {https://blog.group-ib.com/blackmatter#}, language = {English}, urldate = {2021-08-09} } It's alive! The story behind the BlackMatter ransomware strain
BlackMatter DarkSide BlackMatter DarkSide
2021-08-05TesorionGijs Rijnders
@online{rijnders:20210805:analysis:6a836dd, author = {Gijs Rijnders}, title = {{Analysis of the BlackMatter ransomware}}, date = {2021-08-05}, organization = {Tesorion}, url = {https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/}, language = {English}, urldate = {2021-08-24} } Analysis of the BlackMatter ransomware
BlackMatter
2021-08-04Recorded FutureInsikt Group®
@techreport{group:20210804:protect:283486d, author = {Insikt Group®}, title = {{Protect Against BlackMatter Ransomware Before It’s Offered}}, date = {2021-08-04}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf}, language = {English}, urldate = {2021-08-06} } Protect Against BlackMatter Ransomware Before It’s Offered
BlackMatter DarkSide
2021-08-04Jan Gruber
@online{gruber:20210804:understanding:ad8ac48, author = {Jan Gruber}, title = {{Understanding BlackMatter's API Hashing}}, date = {2021-08-04}, url = {https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html}, language = {English}, urldate = {2021-08-09} } Understanding BlackMatter's API Hashing
BlackMatter
Yara Rules
[TLP:WHITE] win_blackmatter_auto (20220808 | Detects win.blackmatter.)
rule win_blackmatter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.blackmatter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4b 85db 75f5 6aff 6a01 ff75e4 ff75f4 }
            // n = 7, score = 400
            //   4b                   | dec                 ebx
            //   85db                 | test                ebx, ebx
            //   75f5                 | jne                 0xfffffff7
            //   6aff                 | push                -1
            //   6a01                 | push                1
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ff75f4               | push                dword ptr [ebp - 0xc]

        $sequence_1 = { 7527 6aff 6a00 ff75e8 ff75f4 ff15???????? 8945f8 }
            // n = 7, score = 400
            //   7527                 | jne                 0x29
            //   6aff                 | push                -1
            //   6a00                 | push                0
            //   ff75e8               | push                dword ptr [ebp - 0x18]
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff15????????         |                     
            //   8945f8               | mov                 dword ptr [ebp - 8], eax

        $sequence_2 = { e8???????? 6a00 ff750c ffb5d8feffff ffb5dcfeffff e8???????? ff7508 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   6a00                 | push                0
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ffb5d8feffff         | push                dword ptr [ebp - 0x128]
            //   ffb5dcfeffff         | push                dword ptr [ebp - 0x124]
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_3 = { 8bde 8935???????? 33c9 c1e302 be???????? bf???????? eb42 }
            // n = 7, score = 400
            //   8bde                 | mov                 ebx, esi
            //   8935????????         |                     
            //   33c9                 | xor                 ecx, ecx
            //   c1e302               | shl                 ebx, 2
            //   be????????           |                     
            //   bf????????           |                     
            //   eb42                 | jmp                 0x44

        $sequence_4 = { ff15???????? 83c408 8bd8 85db 0f8491000000 53 ff15???????? }
            // n = 7, score = 400
            //   ff15????????         |                     
            //   83c408               | add                 esp, 8
            //   8bd8                 | mov                 ebx, eax
            //   85db                 | test                ebx, ebx
            //   0f8491000000         | je                  0x97
            //   53                   | push                ebx
            //   ff15????????         |                     

        $sequence_5 = { e8???????? 83f83c 0f82ad020000 e8???????? 85c0 }
            // n = 5, score = 400
            //   e8????????           |                     
            //   83f83c               | cmp                 eax, 0x3c
            //   0f82ad020000         | jb                  0x2b3
            //   e8????????           |                     
            //   85c0                 | test                eax, eax

        $sequence_6 = { 53 56 c745f800040000 ff75f8 e8???????? 8945f4 8d45f8 }
            // n = 7, score = 400
            //   53                   | push                ebx
            //   56                   | push                esi
            //   c745f800040000       | mov                 dword ptr [ebp - 8], 0x400
            //   ff75f8               | push                dword ptr [ebp - 8]
            //   e8????????           |                     
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_7 = { 6a02 6a00 6a00 8d45d8 50 ff75fc ff75f8 }
            // n = 7, score = 400
            //   6a02                 | push                2
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d45d8               | lea                 eax, [ebp - 0x28]
            //   50                   | push                eax
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff75f8               | push                dword ptr [ebp - 8]

        $sequence_8 = { 8b55ec c1e818 c1eb10 c1e908 81e3ff000000 81e1ff000000 }
            // n = 6, score = 400
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   c1e818               | shr                 eax, 0x18
            //   c1eb10               | shr                 ebx, 0x10
            //   c1e908               | shr                 ecx, 8
            //   81e3ff000000         | and                 ebx, 0xff
            //   81e1ff000000         | and                 ecx, 0xff

        $sequence_9 = { c745d000000000 c745cc00000000 c745fc00000000 c745f800000000 c745dc00000000 c745f400000000 6a64 }
            // n = 7, score = 400
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c745cc00000000       | mov                 dword ptr [ebp - 0x34], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   c745dc00000000       | mov                 dword ptr [ebp - 0x24], 0
            //   c745f400000000       | mov                 dword ptr [ebp - 0xc], 0
            //   6a64                 | push                0x64

    condition:
        7 of them and filesize < 194560
}
Download all Yara Rules