BLACKMATTER
BlackMatter is a ransomware-as-a-service (RaaS) operation that emerged in July 2021 after the retirement of the DarkSide ecosystem and was widely described as its successor. Multiple sources in the content link BlackMatter to DarkSide/ELBRUS, and CrowdStrike assesses with high confidence that CARBON SPIDER developed and operated the BlackMatter RaaS. Microsoft also states ELBRUS/FIN7 replaced DarkSide with BlackMatter in July 2021 and retired BlackMatter in November 2021. BlackMatter has also been discussed as part of the lineage that later overlaps with or evolves into ALPHV/BlackCat, and ExMatter is identified as BlackMatter’s custom data-exfiltration tool.
BlackMatter conducted double-extortion operations: deploying ransomware while exfiltrating victim data and threatening deletion or public exposure if ransom was not paid. The content states campaigns targeted healthcare and other verticals, and victims were identified across sectors in North and South America, Asia, and Europe. BlackMatter operators publicly claimed they would avoid some sectors such as medical and government entities, reflecting backlash after DarkSide and REvil incidents, but reporting in the content still notes healthcare targeting.
Technically, BlackMatter supports Windows and Linux/VMware ESXi environments. Sophos observed Windows samples using in-place, multithreaded, partial file encryption, renaming files before encryption, appending a decryption blob to encrypted files, and setting a ransom wallpaper very similar to DarkSide’s. BlackMatter changes file DACLs to grant Everyone full access before encryption. It uses runtime API resolution and runtime string decryption similar to DarkSide and REvil, and uses the elevated COM object Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} for UAC bypass. CrowdStrike reported Linux/ESXi variants with DarkSide-like configuration and C2 behavior, RSA-4096 public key usage, cURL-based communications, Tor-hosted payment portals in ransom notes, and ESXi targeting via esxcli.
A notable BlackMatter tradecraft feature is Safe Mode encryption. The malware supports a -safe switch and can enable the built-in Administrator account, configure AutoAdminLogon, set RunOnce persistence, use bcdedit to reboot into Safe Mode with Networking, continue encryption after reboot, then remove the safeboot setting with bcdedit /deletevalue {current} safeboot and restart. Splunk detections in the content specifically associate BlackMatter with forced Safe Mode boot, AutoAdminLogon registry modification, and adding DefaultUserName/DefaultPassword under Winlogon to continue encryption after reboot.
Observed deployment and intrusion behavior in the content includes scheduled-task execution of a PowerShell script from a domain-accessible UNC path, with the ransomware binary base64-encoded inside the script. Cisco Talos compared BlackMatter and BlackCat intrusions and found BlackMatter activity involving reverse SSH tunneling with GOST, scheduled tasks, LSASS dumping via comsvcs.dll minidump through rundll32, use of Impacket wmiexec, WinRM/PowerShell, RDP, and PsExec/RemCom for lateral movement, Group Policy-based domain-wide execution using apply.ps1 and gpupdate /force, and ransomware binaries launched from SYSVOL/NETLOGON shares. Talos also noted overlap in infrastructure between a September 2021 BlackMatter intrusion and a later BlackCat intrusion.
The content also associates BlackMatter with initial-access and affiliate ecosystems tied to FIN7/ELBRUS. FBI reporting states FIN7 mailed malicious HID-style USB devices to U.S. organizations, including defense-sector targets, to gain access and ultimately deploy ransomware such as BlackMatter or REvil. Microsoft reporting cited in the content states FIN7 not only deployed DarkSide/BlackMatter but managed the DarkSide RaaS operation, and used fake security firms such as Bastion Secure and Combi Security for recruitment.
High-confidence indicators and artifacts directly mentioned in the content include the Sophos-analyzed sample SHA-256 22D7D67C3AF10B1A37F277EBABE2D1EB4FD25AFBD6437D4377400E148BCC08D6; communication from the analyzed sample to a remote server hosted on paymenthacks.com; use of Tor-hosted payment and leak portals; and, from Talos reporting on a BlackMatter intrusion, shared infrastructure including domain windows[.]menu and IPs 52.149.228[.]45 and 20.46.245[.]56.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021.
ELBRUS retired the DarkSide ransomware ecosystem in May 2021 and released its successor, BlackMatter, in July 2021.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
3 techniquesonce a BlackMatter operator gains access to a target’s network and is ready to deploy the ransomware, a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server
a scheduled task is set up that executes a PowerShell script... Change the default boot configuration to safe mode with networking, by running this command: bcdedit /set {current} safeboot network
a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server... The ransomware binary itself is base64 encoded and embedded inside the PowerShell script.
Persistence
4 techniquesonce a BlackMatter operator gains access to a target’s network and is ready to deploy the ransomware, a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server
Create the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon registry key and set it to 1... Create an entry under the HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ registry key
Change the default boot configuration to safe mode with networking, by running this command: bcdedit /set {current} safeboot network... When the ransomware has finished encrypting, it runs the following command... bcdedit /deletevalue {current} safeboot
Privilege Escalation
5 techniquesonce a BlackMatter operator gains access to a target’s network and is ready to deploy the ransomware, a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server
Change the default boot configuration to safe mode with networking, by running this command: bcdedit /set {current} safeboot network... When the ransomware has finished encrypting, it runs the following command... bcdedit /deletevalue {current} safeboot
Create an entry under the HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ registry key, using a random string starting with an asterisk
BlackMatter also attempts to elevate its privileges when it is limited by User Account Control (UAC). It does so via an elevated COM interface
It does so via an elevated COM interface, by executing a function with this object name: Elevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Stealth
1 techniqueLike DarkSide (and REvil), BlackMatter uses a run-time API that can hinder static analysis of the malware. And like the other two ransomware groups, strings are also encrypted and revealed during runtime... stores configuration information in the binary in an encoded format.
Defense Impairment
1 techniqueDiscovery
3 techniquesSophosLabs decoded this and found that BlackMatter ransomware has a similar structure and information stored in the configuration blob, like lists of processes and services to kill
The BlackMatter ransomware collects information from victim machines, like hostname, logged in user, operating system, domain name, system type (architecture), language, as well as the size of the disk and available free space.
Description blackmailer ransomware accessing schcache due to creation of adsi object for its ldap query. MITRE ATT&CK Techniques ... Path: /datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log
Exfiltration
2 techniquesThe analyzed sample sends these details to a remote server hosted on paymenthacks.com
BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin.
Impact
3 techniquesAttackers move directly to deploying ransomware by editing a Group Policy.
where endpoint protection is typically not active, and perform the entire encryption attack there... The machine is restarted, although the abused Administrator account remains automatically logged in.
The following analytic detects the modification of registry keys related to the desktop wallpaper settings... This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note.
Other
2 techniquesIOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware that uses bcdedit to force compromised hosts into Safe Mode with Networking so encryption can continue while bypassing some security controls.
Ransomware associated with behavior that stops backup, security, and recovery-related Windows services prior to file encryption.
Ransomware that manipulates boot configurations to facilitate encryption processes.
Ransomware that modifies Winlogon registry values such as DefaultUserName and DefaultPassword to enable auto admin logon, allowing it to automatically log on to compromised hosts and continue encryption after a safe mode boot.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.