{
	"id": "77af3e4c-e3f6-4742-b7a8-e2ec3bccb75c",
	"created_at": "2026-04-06T01:29:19.5222Z",
	"updated_at": "2026-04-10T03:22:08.405564Z",
	"deleted_at": null,
	"sha1_hash": "0cf9f2c1d4f5d5d755fea572a197513916ba01ba",
	"title": "BlackMatter Ransomware Technical Analysis and Tools from Nozomi Networks Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3160386,
	"plain_text": "BlackMatter Ransomware Technical Analysis and Tools from\r\nNozomi Networks Labs\r\nBy Nozomi Networks\r\nPublished: 2025-03-27 · Archived: 2026-04-06 00:39:28 UTC\r\nOver the last weekend, Iowa-based NEW Cooperative Inc. was the latest victim of the ransomware group\r\nBlackMatter. According to the company, which operates as a farmers’ cooperative, the incident has been actively\r\nhandled, but at the time of this writing the full impact of the attack is not clear.\r\nIn the media inquiries section of its website, BlackMatter explicitly lists a series of critical infrastructure targets\r\nthat should not be targeted by its malicious operations. An organization the size of NEW Cooperative could very\r\nwell be categorized as critical infrastructure. If that’s the case, this attack could have significant consequences.\r\nModern supply chains are sometimes found to be vulnerable to sudden disruptions, with the full effects often\r\nunderstood only much later.\r\nIn this blog, we describe the process that Nozomi Networks Labs took to analyze the BlackMatter ransomware\r\nexecutable, as well as ways the malware hinders analysis, and how we were able to overcome them. We provide\r\nsome scripts that can help other researchers extract key information from other instances of this ransomware that\r\nsurface in the wild.\r\nMain Functionality\r\nThe ransomware encrypts victims’ files with a version of the ChaCha20 and RSA algorithms. RSA is used to\r\nensure that decryption is not possible without the private key stored on the attackers’ side. The malware leaves a\r\nnote in the form of a README file with the steps to follow to decrypt them. In addition, it changes the wallpaper\r\nto bring attention to them:\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 1 of 15\n\nWallpaper changed by the BlackMatter ransomware executable, drawing attention to a README file with\r\ndecryption steps.(Click to enlarge)\r\nIn addition, the malware performs various common ransomware actions such as:\r\nDeleting shadow copies (local backups) by first listing them using WMI query SELECT * FROM\r\nWin32_ShadowCopy\r\nDeleting files in the recycle bin\r\nTerminating processes and services specified in the configuration\r\nChanging the wallpaper to point to the README text file for decryption instructions\r\nElevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} is used for UAC (user\r\naccount control) bypass\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 2 of 15\n\nEncrypted files will get a new file extension matching the victim id seen in the README file name prefix\r\nand also stored in the registry. This victim id is derived from the MachineGuid registry value.\r\nAnti-debugging Techniques\r\nThe malware attempts to thwart analysis by hiding which WinAPIs it relies on. To circumvent this, the malware\r\nresolves some of the required import functions by their hashes:\r\nIdentification of WinAPI function by hashed name\r\nTo further complicate analysis, in case of bulk WinAPI address resolution by hashes, the malware uses a unique\r\nway of storing the addresses found. Instead of just storing them in a table, for every resolved WinAPI address, it\r\nrandomly chooses one of five different ways to encode it (rol, ror, xor, xor+rol or xor+ror) and stores the encoded\r\naddress together with a dynamically built code snippet that will decode it just before the call:\r\nBuilding code snippets to dynamically decrypt each API address and transfer control to it\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 3 of 15\n\nHere is one of the result proxy code snippets:\r\nDynamically built code snippet to call the API\r\nAnother anti-debugging trick used by malware is checking the presence of the 0xABABABAB sequence at the\r\nend of private heap blocks that it allocates to store these snippets. If the debugger is attached, this sequence will be\r\nadded and the malware won’t store the address of the snippet in its custom import table, which will later result in\r\nthe debugged sample crashing.\r\nMalware checks for the presence of the 0xABABABAB sequence revealing the debugger\r\nThe strings are commonly decrypted on the fly, just before being used:\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 4 of 15\n\nWith the help of IDAPython functionality, it is possible to automatically find and decrypt most of them:\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 5 of 15\n\nSOFTWARE\\Microsoft\\Cryptography\r\nMachineGuid\r\n__ProviderArchitecture\r\nROOT\\CIMV2\r\nID\r\nSELECT * FROM Win32_ShadowCopy\r\nWQL\r\nWin32_ShadowCopy.ID='%s'\r\nGlobal\\%.8x%.8x%.8x%.8x\r\nTimes New Roman\r\n.bmp\r\nControl Panel\\Desktop\r\nWallPaper\r\nWallpaperStyle\r\nZ:\\\r\ndllhost.exe\r\nElevation:Administrator!new:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\r\n%s.README.txt\r\nControl Panel\\International\r\nLocaleName\r\nsLanguage\r\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\r\nProductName\r\n%.8x%.8x%.8x%.8x%\r\nPOST\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\r\n%s=%s\r\n%s=%s\r\n%.8x%.8x%.8x%.8x%\r\nABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\r\n%u.%u\r\n%u.%u\r\n\\\\%s\\\r\nLDAP://rootDSE\r\ndefaultNamingContext\r\nLDAP://CN=Computers,\r\ndNSHostName\r\n\\\\%s\\\r\nExchangeInstallPath\r\nProgram Files\r\nMailbox\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 6 of 15\n\nSOFTWARE\\%s\r\nhScreen\r\nConfiguration\r\nThe sample’s encrypted configuration is stored in the .rsrc section, additionally compressed, and the individual\r\nfields are base64-encoded. The decrypted C2 configuration can be seen below. The sample can interact with both\r\nplain HTTP and HTTPS endpoints as evidenced by the set of C2.\r\nConfiguration decryption and base64-encoded C2\r\nMalware generates random HTTP query values when it communicates with these C2:\r\nNetwork communication with one of the C2\r\nTo secure communication, the AES algorithm is used.\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 7 of 15\n\nDetails of the targeted system in plaintext\r\nHere is the extracted configuration:\r\n{\r\n \"SHA256_SAMPLE\": \"706F3EEC328E91FF7F66C8F0A2FB9B556325C153A329A2062DC85879C540839D\",\r\n \"RSA_KEY\": \"232FBA5316E1C9A3F0E603EF0ECB534A1FC1E8BA5F89DBD886D98FBF88EEDDE66CC65E00BBB827CD0262B65C505D95A008\r\n \"COMPANY_VICTIM_ID\": \"90A881FFA127B004CEC6802588FCE307\",\r\n \"AES_KEY\": \"B59C952C492BD3D1F8F5140AA2855CDE\",\r\n \"BOT_MALWARE_VERSION\": \"2.0\",\r\n \"ODD_CRYPT_LARGE_FILES\": \"false\",\r\n \"NEED_MAKE_LOGON\": \"true\",\r\n \"MOUNT_UNITS_AND_CRYPT\": \"true\",\r\n \"CRYPT_NETWORK_RESOURCES_AND_AD\": \"true\",\r\n \"TERMINATE_PROCESSES\": \"true\",\r\n \"STOP_SERVICES_AND_DELETE\": \"true\",\r\n \"CREATE_MUTEX\": \"true\",\r\n \"PREPARE_VICTIM_DATA_AND_SEND\": \"true\",\r\n \"PRINT_RANSOM_NOTE\": \"true\",\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 8 of 15\n\n\"PROCESS_TO_KILL\": [\r\n { \"\": \"encsvc\" },\r\n { \"\": \"thebat\" },\r\n { \"\": \"mydesktopqos\" },\r\n { \"\": \"xfssvccon\" },\r\n { \"\": \"firefox\" },\r\n { \"\": \"infopath\" },\r\n { \"\": \"winword\" },\r\n { \"\": \"steam\" },\r\n { \"\": \"synctime\" },\r\n { \"\": \"notepad\" },\r\n { \"\": \"ocomm\" },\r\n { \"\": \"onenote\" },\r\n { \"\": \"mspub\" },\r\n { \"\": \"thunderbird\" },\r\n { \"\": \"agntsvc\" },\r\n { \"\": \"sql\" },\r\n { \"\": \"excel\" },\r\n { \"\": \"powerpnt\" },\r\n { \"\": \"outlook\" },\r\n { \"\": \"wordpad\" },\r\n { \"\": \"dbeng50\" },\r\n { \"\": \"isqlplussvc\" },\r\n { \"\": \"sqbcoreservice\" },\r\n { \"\": \"oracle\" },\r\n { \"\": \"ocautoupds\" },\r\n { \"\": \"dbsnmp\" },\r\n { \"\": \"msaccess\" },\r\n { \"\": \"tbirdconfig\" },\r\n { \"\": \"ocssd\" },\r\n { \"\": \"mydesktopservice\" },\r\n { \"\": \"visio\" }\r\n ],\r\n \"SERVICES_TO_KILL\": [\r\n { \"\": \"mepocs\" },\r\n { \"\": \"memtas\" },\r\n { \"\": \"veeam\" },\r\n { \"\": \"svc$\" },\r\n { \"\": \"backup\" },\r\n { \"\": \"sql\" },\r\n { \"\": \"vss\" },\r\n { \"\": \"msexchange\" }\r\n ],\r\n \"C2_URLS\": [\r\n { \"\": \"https://mojobiden[.]com\" },\r\n { \"\": \"http://mojobiden[.]com\" },\r\n { \"\": \"https://nowautomation[.]com\" },\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 9 of 15\n\n{ \"\": \"http://nowautomation[.]com\" }\r\n ],\r\n \"LOGON_USERS_INFORMATION\": [\r\n { \"\": \"\" },\r\n { \"\": \"\" },\r\n { \"\": \"\" },\r\n { \"\": \"\" },\r\n { \"\": \"\" },\r\n { \"\": \"\" }\r\n ],\r\n \"RANSOM_NOTE\": [\r\n {\r\n \"\": \" ~+ \\r\\n * +\\r\\n '\r\n }\r\n ]\r\n}\r\nOverall, there are multiple similarities with the DarkSide ransomware family, including the way the victim id is\r\nderived from the MachineGuid value, the encryption techniques used, and the way the configuration is structured\r\nand protected. More information on the DarkSide executable can be found in our previous blog.\r\nBlackMatter Ransomware Protection and Indicators of Compromise\r\nNozomi Networks customers using our Threat Intelligence service are already covered against the described\r\nthreat. In addition, Nozomi Networks Labs is monitoring this situation as it evolves and will extend coverage to\r\ncustomers and keep the community informed of major updates.\r\nFor security professionals defending critical infrastructure operations, general recommendations for cyber\r\nresiliency against ransomware is found in our latest OT/IoT Security Report.\r\nFor security researchers, the descriptions provided in this blog of how BlackMatter evades analysis, and how to\r\nextract key information from the code should be useful as the malware evolves.\r\nThe indicators of compromise (IOC) that we learned from this analysis, as well as the scripts we used in the\r\nanalysis are found below.\r\nList of IOCs\r\nmojobiden.com nowautomation.com 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d\r\n// Created by Nozomi Networks Labs\r\nimport \"pe\"\r\nrule blackmatter_ransomware : blackmatter ransomware {\r\n meta:\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 10 of 15\n\ndate = \"2021-09-20\"\r\n name = \"BlackMatter - RANSOMWARE\"\r\n author = \"Nozomi Networks Labs\"\r\n description = \"Generic detection for BlackMatter ransomware\"\r\n actor = \"BlackMatter\"\r\n x_threat_name = \"BlackMatter ransomware\"\r\n x_mitre_technique = \"T1486\"\r\n hash1 = \"706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d\"\r\n hash2 = \"9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a\"\r\n hash3 = \"b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a\"\r\n hash4 = \"2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd\"\r\n hash5 = \"f7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884\"\r\n hash6 = \"8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539\"\r\n hash7 = \"e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d\"\r\n nn_ts = \"1632088800.0\"\r\n nn_sig = \"f7c69f3b527ffb3f0c2aa613e902d8d4f0e39966048bb6cfa57556115fa18ed9\"\r\n nn_id = \"92f90d15-9392-4076-96b5-1e42ac9874c5\"\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n uint32(uint32(0x3c)) == 0x00004550 and\r\n filesize \u003c 100KB and\r\n pe.imphash() == \"2e4ae81fc349a1616df79a6f5499743f\"\r\n}\r\nIDAPython Scripts\r\nHere is a script to restore the custom import table dynamically populated by malware. It defines the new hotkey Z\r\nthat should be pressed when the cursor is located at the bulk decryption function (in case of this sample, at the\r\nRVA 0x78EC).\r\n# Author: Alexey Kleymenov (a member of Nozomi Networks Labs)\r\nimport os\r\nimport struct\r\nimport pefile\r\nimport ida_kernwin\r\nPATH_TO_DLLS = 'c:\\\\windows\\\\system32\\\\'\r\nHARDCODED_XOR_KEY = 0x17019FF8\r\ndef extract_api_hashes(start):\r\n '''\r\n Returns a dictionary where keys are import functions to write data and values are list of hashes.\r\n The first hash is the DLL name's hash, the rest are WinAPI names' hashes.\r\n '''\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 11 of 15\n\ndecryptor_address = start\r\n print('Bulk API decryptor address: %x' % decryptor_address)\r\n api_hashes = {}\r\n for head in Heads():\r\n flags = GetFlags(head)\r\n if isCode(flags):\r\n prev = prev_head(head)\r\n prev_2 = prev_head(prev)\r\n if print_insn_mnem(head) == 'call' and get_operand_value(head, 0) == decryptor_address:\r\n print('Found the decryptor called: %x' % head)\r\n if print_insn_mnem(prev) == 'push' and print_insn_mnem(prev_2) == 'push':\r\n func_hashes = get_operand_value(prev_2, 0)\r\n import_table = get_operand_value(prev, 0)\r\n api_hashes[import_table] = []\r\n for i in range(0, 0xffff, 4):\r\n api_hash = struct.unpack(\"\u003cI\", get_bytes(func_hashes + i, 4))[0]\r\n if api_hash == 0xCCCCCCCC:\r\n break\r\n else:\r\n api_hashes[import_table].append(api_hash ^ HARDCODED_XOR_KEY)\r\n else:\r\n print('Non-standard arguments %x' % head)\r\n return api_hashes\r\ndef calculate_checksum(name, value):\r\n '''Standard ror 0x0D'''\r\n for symbol in name:\r\n value = ((value \u003e\u003e 0x0D) | (value \u003c\u003c (0x20 - 0x0D))) \u0026 0xFFFFFFFF\r\n value += ord(symbol) \u0026 0xFFFFFFFF\r\n return value\r\ndef build_mappings(dll_filepath, dll_hashes):\r\n '''\r\n Calculates API checksums for the DLLs of interest\r\n '''\r\n dll_name = os.path.basename(dll_filepath)\r\n dll_checksum = calculate_checksum(dll_name.lower() + '\\x00', 0)\r\n result = {}\r\n if dll_checksum in dll_hashes:\r\n dll = pefile.PE(dll_filepath, fast_load=True)\r\n dll.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']])\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 12 of 15\n\nif hasattr(dll, 'DIRECTORY_ENTRY_EXPORT'):\r\n dll_name = dll_name.replace('.', '_')\r\n result[dll_checksum] = {'dll_name': dll_name}\r\n export_directory = dll.DIRECTORY_ENTRY_EXPORT\r\n for symbol in export_directory.symbols:\r\n if symbol.name is not None:\r\n api_name = symbol.name.decode('latin-1')\r\n api_checksum = calculate_checksum(api_name + '\\x00', dll_checksum)\r\n result[api_checksum] = {'dll_name': dll_name, 'api_name': api_name}\r\n return result\r\ndef parse_dlls(path_to_dlls, dll_hashes):\r\n '''\r\n Walks all files in the given path and builds export hash mappings\r\n '''\r\n list_dlls = os.listdir(path_to_dlls)\r\n mappings = {}\r\n for dll_filename in list_dlls:\r\n full_path = os.path.join(path_to_dlls, dll_filename)\r\n mappings.update(build_mappings(full_path, dll_hashes))\r\n return mappings\r\ndef decrypt_all():\r\n '''\r\n Should be run with the cursor at the bulk decryption function\r\n '''\r\n start = get_screen_ea()\r\n api_hashes = extract_api_hashes(start)\r\n dll_hashes = []\r\n for _, hashes in api_hashes.items():\r\n dll_hashes.append(hashes[0])\r\n dll_mappings = parse_dlls(PATH_TO_DLLS, dll_hashes)\r\n for import_table, hashes in api_hashes.items():\r\n dll_hash = hashes[0]\r\n api_hashes = hashes[1:]\r\n if dll_hash in dll_mappings:\r\n print('Found DLL hash %x = %s' % (dll_hash, dll_mappings[dll_hash]['dll_name']))\r\n for i, api_hash in enumerate(api_hashes):\r\n if api_hash in dll_mappings:\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 13 of 15\n\naddr = import_table + (i + 1) * 4\r\n print('Found API hash for %x = %s (%s)' % (\r\n addr,\r\n dll_mappings[api_hash]['api_name'],\r\n dll_mappings[api_hash]['dll_name']\r\n ))\r\n set_name(addr, dll_mappings[api_hash]['api_name'])\r\n else:\r\n print('API hash %x not found' % api_hash)\r\n else:\r\n print('DLL hash %x not found' % dll_hash)\r\nida_kernwin.add_hotkey(\"z\", decrypt_all)\r\n# Additional: Search \u0026 Decrypt Encrypted Strings\r\n# Author: Alexey Kleymenov (a member of Nozomi Networks Labs)\r\nimport struct\r\nimport ida_kernwin\r\nHARDCODED_XOR_KEY = 0x17019FF8\r\ndef is_utf16_heur(string):\r\n counter = 0\r\n for val in string:\r\n if val == 0:\r\n counter += 1\r\n if counter / float(len(string)) \u003e 0.4:\r\n return True\r\n return False\r\ndef decrypt_string(start_addr):\r\n addr = start_addr\r\n result = b\"\"\r\n for i in range(0xFFFF):\r\n instr = print_insn_mnem(addr)\r\n if instr != 'mov' or 'dword ptr' not in GetDisasm(addr):\r\n break\r\n value = get_operand_value(addr, 1)\r\n decoded_value = value ^ HARDCODED_XOR_KEY\r\n result += struct.pack(\"\u003cI\", decoded_value)\r\n addr = next_head(addr)\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 14 of 15\n\nresult_orig = result\r\n if is_utf16_heur(result):\r\n result = result.decode('utf-16le')\r\n else:\r\n result = result.decode('latin-1')\r\n if all(ord(c) \u003c 128 for c in result):\r\n result = result.rstrip('\\x00')\r\n else:\r\n result = 'hex: ' + result_orig.hex()\r\n print('%x - %s' % (start_addr, result))\r\n set_cmt(start_addr, result, 0)\r\ndef decrypt_string_manual():\r\n start_addr = get_screen_ea()\r\n decrypt_string(start_addr)\r\ndef search_for_encrypted_strings():\r\n for head in Heads():\r\n flags = GetFlags(head)\r\n if isCode(flags):\r\n if print_insn_mnem(head) == 'xor' and 'dword ptr' in GetDisasm(head) and get_operand_value(head, 1)\r\n next = next_head(head)\r\n if print_insn_mnem(next) == 'add' and get_operand_value(next, 1) == 4:\r\n prev = prev_head(head)\r\n if 'mov ecx' in GetDisasm(prev):\r\n num = get_operand_value(prev, 1)\r\n for i in range(num):\r\n prev = prev_head(prev)\r\n # print('Found the encryption string candidate: %x' % prev)\r\n decrypt_string(prev)\r\nida_kernwin.add_hotkey(\",\", decrypt_string_manual)\r\nsearch_for_encrypted_strings()\r\nReferences:\r\n1. https://github.com/advanced-threat-research/DarkSide-Config-Extract\r\nSource: https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nhttps://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/"
	],
	"report_names": [
		"blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs"
	],
	"threat_actors": [],
	"ts_created_at": 1775438959,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cf9f2c1d4f5d5d755fea572a197513916ba01ba.pdf",
		"text": "https://archive.orkl.eu/0cf9f2c1d4f5d5d755fea572a197513916ba01ba.txt",
		"img": "https://archive.orkl.eu/0cf9f2c1d4f5d5d755fea572a197513916ba01ba.jpg"
	}
}