Login Register

A Deeper Dive into BlackMatter Ransomware Activities

By J.Austine Nov. 8, 2021, 4:23 p.m.
A deep dive into BlackMatter Ransomware activities

The formation of a big ransomware group using the moniker “BlackMatter.”

Over July holiday, REvil attacked Kaseya’s customers. Furthermore, they used a Sodinokibi payload. It had many indicators of compromise (IOC), including a “Blacklivesmatter” registry entry. After a short while, REvil disappeared from the darknet.
The reason is, it was an attempt to avoid authorities’ attention. Others say it was the result of some takedown action. Apart from being an IOC, the “Blacklivesmatter” registry entry indicates the future. For instance, the formation of a big ransomware group using the moniker “BlackMatter.”
The group seems to be an amalgamation of REvil and Darkside’s team members. The reason is, the group shows strong similarities in the following:
Infrastructure configuration
Operating philosophies
From 2020, REvil and Darkside have been the most prolific ransomware groups. For example, they were behind the infamous Travelex incident. Because of the attack, the organization and its customers suffered disruption for months.

Targets of BlackMatter Ransomware Activities

BlackMatter mainly targets Windows-based systems. Yet, unique payloads targeting Linux systems have also gotten observed. Linux payloads do not provide data encryption. Instead, they serve as remote access Trojans to pivot other windows-based machines.
BlackMatter got formed in mid-July this year. Three weeks after the Kaseya incident, the group targeted a US-based architecture company.
The group focuses on targeting businesses with more than $100m annual revenue. This information got based on dark web posts by an identity purporting to be BlackMatter. Further, the group avoids networks that previously got compromised by REvil and Darkside.
BlackMatter provided proof and reassurances to pay any would-be affiliate. They do that by depositing 4 Bitcoin with the forum. Likewise, the same happened in REvil’s recruitment activity in 2020.
Evidently, the group seems to target organizations in English-speaking countries. The most targeted being the UK, the US, Australia, and Canada. Even so, they exclude government institutions and healthcare. The reason being, to avoid law enforcement action coming from political pressure.

Delivery of Attacks

BlackMatter gains access via the compromise of vulnerable edge devices. Also, through the abuse of corporate credentials obtained from various sources. On the contrary, many cyberattacks rely on phishing to establish a foothold.
BlackMatter exploits infrastructure vulnerabilities found in VPN appliances and virtualization. Initial access operators affiliated with the group are likely to destroy their TTP. Also, they may favor exploiting some vulnerabilities over others.
BlackMatter once set a victim-specific ransom note. The note advised the victim of the data encryption to install the Tor Browser. This was to enable the dark web negotiation site to get accessed.
Before, Darkside and REvil avoided the encryption of machines of commonwealth members. They identified the country code used by victim’s keyboard layout.
Similar groups that offer hacking services get found in dark markets. Most transactions in the dark markets are in the form of Cryptocurrency. Even so, dark markets have various goods and services aside from hacking services. If you are planning to visit the darknet marketplaces, take necessary precautions.
Above all, remember to install the Tor browser and a VPN to tread carefully. Additionally, do not trust anyone on the platform!

Do you find this content interesting?
This is just a MIRROR ! Find us via our Main TOR domain
And Let us know by leaving a comment and a rating.

Also, don't forget to follow our Official Telegram Channel to stay informed and safe by Reading  NOIRdotNEWS


Please visit our onion version to comment.