Blackmatter is a ransomware variant that was first seen in July 2021, and is considered a Ransomware-as-a-service tool. The variant encrypts files utilizing a hybrid-cryptography scheme of RSA-1024 and modified Salsa20 and upon encryption, demands a large sum of money to allow decryption. The variant claims to have taken the “best aspects” of the tools and techniques observed by known and notorious ransomware groups REvil and DarkSide.
Blackmatter has been observed to target Legal, Agriculture, Real Estate, IT Services, Food & Beverage, Architecture, Education, Finance – similar to Darkside, Blackmatter operators claim they will not target hospitals, critical infrastructure, nonprofits, and water treatment facilities. As far as known regional targets, the variant has been observed in organizations in the United States, UK, Canada, Australia, India, Brazil, Chile, and Thailand.
This variant leverages previously compromised admin or user credentials to enumerate running processes and services.
After initial access, the Blackmatter variant has been observed to leverage previously compromised admin/user credentials to discover all hosts in AD via the LDAP and SMB protocol – as well as abusing the MSRPC function to enumerate accessible shares.
The variant abuses the same compromised credentials to remotely encrypt (from original infected host) all discovered/accessible share’s contents (this includes ADMIN$, C$, SYSVOL, and NETLOGON). Furthermore, Blackmatter utilizes a runtime API (similar to Darkside and REvil) to hinder analysis and debuggers. After the encryption process is complete, a ransom note is dropped into every folder encrypted, as well as the victim’s wallpaper is changed to a message.
Blackmatter achieves persistence through a key in ‘SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\’ which is randomly generated in the format of 3 characters. It has also been observed to create trial accounts to maintain persistence on networks.
The variant features a number of components in order to hamper analysis and debuggers. Additionally, it has been observed to utilize LdrEnumerateLoadedModules for UAC Bypass, as well as others that can be found listed within the PEB_LDR_DATA structure.
After execution, the variant communicates with their C2 server and sends victim/host information via encrypted POST request.