SOC Advisory: BlackMatter Ransomware

In a constant effort to guard our client’s valuable assets, including intellectual property and employees, CyFlare proactively identifies and monitors security breaches to maintain the organization’s protection. Here is our latest SOC Advisory —

SECTOR: Information Technology
REPORTING AGENCIES: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA)
DATE(S) ISSUED: 10-18-21


OVERVIEW: First seen in July 2021, BlackMatter is a ransomware-as-a-service (RaaS) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited.

SYSTEMS AFFECTED: Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86 including Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS). Linux variant can run on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN, VMware ESXi virtual machine platform.

RISK: BlackMatter ransomware operators announced that they would not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. Targeted Industries: Legal, Real Estate, IT Services, Food & Beverage, Architecture, Education, Finance.

TECHNICAL SUMMARY: Here are validated indicators of compromise known at this time:

  • On October 19th, an advisory providing information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA256: 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.
  • The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively.
  • BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. This variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.
  • BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
  • BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting:

If a ransomware incident occurs at your organization, CISA, the FBI, and NSA recommend:

  • Following the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
  • Scanning backups. If possible, scan backup data with an antivirus program to check that it is free of malware.
  • Reporting incidents immediately to the FBI at a local FBI Field Office, CISA at, or the U.S. Secret Service at a U.S. Secret Service Field Office.
  • Applying incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, etc.