Atos Digital Security regularly performs incident response and gathers information on various groups of attackers.
Among them, BlackMatter stands out for its remarkably rapid rise despite its recent inception. This new group of attackers has quickly attracted the attention of the cybersecurity world for its offensive capabilities and its alleged legacy.
This article describes the results of the investigations conducted on this group, its modus operandi and attack campaigns.
Update – 11-03-21
Since this article was written, a new event occurred on November 3, 2021: the BlackMatter group shut down its activities.
According to vx-underground, the group announced that it would stop its operations in a message posted on the backend of its data leak Website on November 1, 2021  .
The BlackMatter Website, hosted on a hidden service of the Tor network, is still accessible but the message states that their entire infrastructure would be shut down after 48 hours. It also indicates that affiliates can still communicate with their victims and ask for a decryptor.
The ransomware operators specified that this shut down was due to pressure from the authorities and the unavaibility of several of its members.
The BlackMatter group has indeed attracted the attention of American authorities since its attacks on two agricultural cooperatives considered as critical infrastructures, in a context of increased efforts by Washington to combat ransomware operations .
Description of BlackMatter operations
The name BlackMatter first appeared on July 19, 2021, when an eponymous user created an account on the Russian-speaking forums “Exploit” and “XSS.” On July 21, he began promoting his activity through a post on the same forums, stating that he was seeking to gain access to corporate networks in the United States, the United Kingdom, Canada and Australia  .
In the following days, the group set up an affiliate and partner recruitment campaign as well as a Website to publish its victims’ stolen data .
Promotion of BlackMatter on the Exploit forum
Source: Recorded Future 
Some researchers quickly raised the possibility that BlackMatter might be the heir to the REvil and/or DarkSide groups of attackers that suspended, temporarily for the former, their Ransomware-as-a-Service (RaaS) activities following the attacks that respectively targeted the outsourcing service provider Kaseya and the oil pipeline operator Colonial Pipelines   . These two attacks led to a strong political reaction in the United States  .
Although its identity is not confirmed, similarities have indeed been identified between BlackMatter and other RaaS:
- In an interview with Recorded Future, the group claimed that its ransomware incorporates the best features of other ransomware such as Lockbit, REvil and DarkSide  ;
- BlackMatter’s publications Website was designed in the same way as the Darkside, Groove and Atomsilo groups    ;
- The payload and cryptographic encryption routine is said to be similar to that of the DarkSide ransomware   .
Since its emergence in July 2021, the BlackMatter ransomware has compromised dozens of victims, including large companies, from various sectors, to the point of drawing the attention of U.S. authorities too .
The BlackMatter RaaS
Similar to the Avaddon group, already presented in a previous publication, BlackMatter is a RaaS. It refers to a business model in which ransomware developers provide attackers with the whole infrastructure necessary to encrypt a victim’s data. This infrastructure includes the encryption software, the payment management, the data disclosure and the negotiation channel.
Therefore, campaigns conducted by the BlackMatter group under the RaaS model typically involve two threat actors. Initially, an attacker with access to an information system contacts the ransomware group. The BlackMatter developers then examine the request as well as the credibility of the hacker’s entry point. If the request is accepted, the attackers conclude an agreement with the group to allow it to use its infrastructure and the program that encrypts the data . Affiliated attackers can then use the BlackMatter ransomware and pay the developers with a share of the profits generated by the ransoms paid by their victims. According to the U.S. Cybersecurity & Infrastructure Security Agency (CISA), which issued an alert on BlackMatter on October 18, 2021, these ransoms range from tens of thousands of dollars to $15 million in cryptocurrency (Bitcoin and Monero) .
BlackMatter also relies on initial access providers, which the group buys between $3,000 and $100,000 depending on the target. In this case, BlackMatter’s operators take care of infecting the compromised network  . The group’s motives thus appear to be primarily lucrative, as is the case with most ransomware attacks, which are usually conducted with the opportunistic intent to obtain financial gains.
Since its appearance last July, more than 40 companies have been targeted by the BlackMatter RaaS. The latter has claimed victims in America as well as in Asia in various sectors of activity. The United States remains the most targeted country, with 52% of the impacted companies being of American origin  .
However, unlike the REvil and DarkSide ransomware, BlackMatter does not allow for verification of its victims’ language to interrupt the infection on machines in certain geographiclocalizations  .
Major intrusions from BlackMatter
Sources: Darkfeed, Twitter, RedPacket Security   
On its leaked Website, BlackMatter states that it excludes certain sectors or types of businesses from its attack perimeter, such as hospitals, critical infrastructure (nuclear power facilities, power generators, water treatment facilities), the defense industry, non-profit companies, and the government sector . This is consistent with a more general trend; following the Kaseya and Colonial Pipelines attacks, many RaaS have effectively changed their rules prohibiting their affiliates from targeting critical infrastructures, certainly in fear of attracting unwanted media and political attention once more .
BlackMatter rules on their .onion Website
Source: Emsisoft 
Nevertheless, the BlackMatter group counts among its victims entities considered as critical infrastructure. On October 18, the U.S. Cybersecurity and Infrastructure Cybersecurity Agency (CISA) effectively alerted on the group’s activities against organizations in the agricultural sector . This was published following attacks in September 2021, when two U.S. agricultural cooperatives fell victim to BlackMatter, including New Cooperative, whose compromise led to a ransom demand of more than $5 million. The latter was not offered the free decryption provided by the criminal group in case of an attack on a business or sector excluded from its scope. On the contrary, they threatened the entity to double the ransom .
As mentioned above, the BlackMatter ransomware is distributed through direct access to its victims’ networks, purchased from its affiliates and partners. These accesses are usually various: compromising remote services such as Remote Desktop Protocols (RDPs), Virtual Private Networks (VPNs) or exploiting vulnerabilities in other products   .
Once a machine is infected, the ransomware uses the “Salsa20” and “RSA-1024” cryptographic algorithms to encrypt hosts and shared drives as they are being found. After encrypting the files, the program creates a BMP file with a message and sets it as the wallpaper  .
BlackMatter Wallpaper on an infected machine
Source: Group-IB 
By default, files are encrypted only in the first megabyte. This block of data contained in an encrypted key includes the name of the original file and the victim’s ID stored in the “HKLM\SOFTWARE\Microsoft\Cryptography” registry directory. In each processed directory, BlackMatter creates a text file with a ransom note :
BlackMatter ransom note
Source: Group-IB 
A portion of the stolen data is then uploaded to the group’s leak Website. Typically, the stolen data includes confidential documents such as contracts, non-disclosure agreements, company financial data, or employee personal data (social security numbers, resumes, etc.). If the victim does not pay within the given time, the data is available for download on their leak publication Website and the ransom amount increases .
Payment time elapsed on BlackMatter .onion Website
Source: Group-IB 
Major BlackMatter updates
When it first appeared, the BlackMatter group claimed that its ransomware service was capable of encrypting various operating systems such as Windows (Windows Server 2003, Windows 7, etc.) or Linux (Debian, CentOS, etc.) .
Since the version 1.2 of BlackMatter analyzed by Group-IB on August 6, 2021, its payload has undergone regular updates designed to make its detection and analysis more difficult. According to McAfee, version 1.6 had already been compiled on July 23, version 1.9 on August 12 and the last known version, 2.0, on August 16. This last version modifies the BlackMatter encryption algorithm, which is now more complex to decrypt  .
More recently, researchers working at Emsisoft revealed that they discovered a flaw in the BlackMatter ransomware due to a change in its payload. By exploiting it, they managed to create a decryption tool that was sent for free to victims listed on the BlackMatter Website. Nevertheless, at the end of September, BlackMatter became aware of this flaw while monitoring the networks and communications of its victims and consequently, quickly updated its ransomware to fix it  . New victims, who have been affected by BlackMatter since the end of September, can therefore no longer use this tool to decrypt their data.
Furthermore, when BlackMatter’s ransom note leaked in September 2021, anyone in its possession could reach and communicate with the cybercriminal group. This caused a number of people to pollute their communication channel with their victims, leading the group to establish a system to verify the identity of victims who contact them to negotiate .
Additional verification on the BlackMatter .onion Website
Source: Emsisoft