| Category |
Malware Intelligence |
| Malware Name |
BlackMatter |
| Malware Family |
Ransomware |
| Affected Industries |
Multiple |
| Affected Region |
Global |
| Target OS |
Windows/ Linux |
Executive Summary
- BlackMatter is a new strain of ransomware that was first identified in July 2021. The newly emerged ransomware is an affiliate of Darkside and targets different regions worldwide, particularly US, UK, Australia, and Canada.
- This ransomware targets Windows and Linux-based systems such as NAS (Network-attached Storage) and ESXi servers.
- BlackMatter ransomware operators claim that it combines the best aspects of REvil, Darkside, and Lockbit ransomware. They target a variety of industries with revenue higher than USD 1 million, with the exception of organizations in the healthcare, government, oil and gas, and non-profit sectors.
Analysis
On 21 July 2021, BlackMatter ransomware operators published a post on a Russian cybercrime forum asking to buy access in bulk for various locations, including the United States, the United Kingdom, and Australia. The following industries were explicitly excluded from their target list:
- Healthcare
- Critical Infrastructure
- Oil and Gas
- Defence
- Non-profit
- Government Institutions
BlackMatter operators specifically target companies with a revenue of USD 1 million and above, along with company networks having 500-15000 hosts.
The BlackMatter account on the Russian forum has an escrow balance of 4 BTC, which amounts to ~ USD 180K. Apart from evoking confidence in other forum members, the large balance attracts reputed threat actors and experienced
Initial Access Brokers (IABs)to work with them. It also shows that the group is serious about carrying out large-scale attacks that require advanced tools and resources.
[caption id="attachment_17702" align="aligncenter" width="966"]
BlackMatter advertisement on a cybercrime forum[/caption]
Information from Technical Analysis
Based on open-source research, CloudSEK researchers determined that the ransomware has two variants that target both Windows and Linux systems, with some minor changes in their encryption functionality.
The Windows variant of the BlackMatter ransomware performs the following functions:
- The ransomware checks the current user level and based on that performs privilege escalation to bypass UAC (User-Account Control) via ICMLuaUtil COM Interface.
- The ransomware uses a multithreading mechanism while enumerating the filesystem and during the encryption process by using an I/O completion port.
- The ransomware enumerates the network resources as well as the AD (Active Directory) using LDAP (Lightweight Directory Access Protocol) requests.
- The ransomware excludes specific directories, file names, and file extensions during the encryption process. It also deletes shadow copies of the targeted directories before starting the encryption process.
- The ransomware kills specific processes and deletes or stops specific services on the victim system.
- The encryption algorithm used is Salsa20 and the public key used to protect the encryption key of Salsa20 is RSA-1024.
- After encryption, the ransomware changes the file name to . and drops a ransom note in each folder with the name .README.txt.
- The ransomware collects information about the victim device and sends it back to the C2 server in an encrypted format with AES-128 ECB encryption algorithm via HTTP POST requests.
[caption id="attachment_17703" align="aligncenter" width="950"]
Information shared by the BlackMatter Ransomware Operators[/caption]
Impact & Mitigation
| Impact |
Mitigation |
- The ransomware deletes shadow copies of the targeted directories, preventing data recovery.
- The ransomware deploys anti-VM and anti-debugging techniques to prevent the reverse engineering of the ransomware.
- The ransomware encrypts its victim’s files, thus making them inaccessible.
- The ransomware is also capable of exfiltrating data to the attacker server, which can be used to blackmail the victim.
|
- Update applications and systems with the latest patches and updates.
- Use EDR solutions for network monitoring.
- Use up-to-date anomaly and anti-virus products with the latest version.
- Conduct security awareness and training programs for employees, on a regular basis.
- Avoid clicking on malicious or suspicious links.
- Avoid downloading malicious documents from untrusted or suspicious sources.
|
TTPs & IOCs
| Tactics, Techniques, and Procedures |
- Privilege Escalation:
- Abuse Elevation Control Mechanism: T1548.002: Bypass User Account Control
- Defense Evasion:
- Abuse Elevation Control Mechanism: T1548.002: Bypass User Account Control
- T1027: Obfuscated Files or Information
- Discovery:
- T1482: Domain Trust Discovery
- T1083: File and Directory Discovery
- T1135: Network Share Discovery
- T1057: Process Discovery
- T1033: System Owner/User Discovery
- T1007: System Service Discovery
- Command and Control:
- Exfiltration:
- T1041: Exfiltration Over C2 Channel
- Impact:
- T1486: Data Encrypted for Impact
- T1490: Inhibit System Recovery
- T1489: Service Stop
|
Indicators of Compromise
|
- Domain
- Paymenthacks.com
- Mojobiden.com
- Blackmattersusa.com
- Blackmatterinc.com
- Blackmatter.online
- Blackmatterlives.biz
- Blackmattersblog.com
- Blackmatter.club
- Allblackmatterspodcast.com
- Liveblackmatters.com
- Blackmattershop.com
- Allblackmatterspodcast.info
- Shoppingwhileblackmatters.com
- Blackmatter.space
- Blackmatters.world
- Blackmatterstudios.com
- Blackmatter.xyz
- Blackmatter.tech
- blackmatterremedies.com
- uberblackmatters.com
- hireblackmatters.com
- blackmattermarketing.com
- blackmatterlives.net
- blackmattermedia.com
- myblackmattersny.com
- seeingblackmatters.com
- shopblackmatter.com
- blackmatterpodcast.com
- blackmattersapparel.com
- blackmattersapparel.net
- blackmattersapparel.info
- yourblackmatters.com
- blackmatterfirearms.com
- collectiveactionforblackmatters.com
- ourblackmatters.com
- allblackmatter.com
- studioblackmatter.com
- blackmatter.life
- everythingblackmatters.com
- blackmatter14.com
- blackmatter15.com
- whitevoicesblackmatters.com
- blackmattersdirectory.com
- myblackmatter.com
- FileHash
- 598c53bfef81e489375f09792e487f1a
- 605d939941c5df2df5dbfb8ad84cfed4
- 3f9a28e8c057e7ea7ccf15a4db81f362
- a3cb3b02a683275f7e0a0f8a9a5c9e07
- IP
- 51.79.243.236
- 131.107.255.255
|
| List of excluded directory names |
windows, system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, program files (x86), program files, $windows.~bt, public, msocache, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old |
| List of excluded file names |
desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log |
| List of targeted file extensions |
themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu |
Reference
[1]
BlackMatter ransomware gang rises from the ashes of DarkSide, REvil (bleepingcomputer.com)
