{ "id": "e495ac91-1728-4875-96cc-5f1974790d7c", "created_at": "2026-04-06T00:18:36.457021Z", "updated_at": "2026-04-10T03:35:52.775525Z", "deleted_at": null, "sha1_hash": "23bde92fafd7a78d281ca85f50470912f3d3c9f3", "title": "Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 57934, "plain_text": "Noberus Ransomware: Darkside and BlackMatter Successor\r\nContinues to Evolve its Tactics\r\nBy About the Author\r\nArchived: 2026-04-05 17:17:45 UTC\r\nAttackers deploying the Noberus (aka BlackCat, ALPHV) ransomware have been using new tactics, tools, and\r\nprocedures (TTPs) in recent months, making the threat more dangerous than ever.\r\nAmong some of the more notable developments has been the use of a new version of the Exmatter data\r\nexfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by\r\nVeeam backup software.\r\nHow does Noberus operate?\r\nNoberus is widely believed to be a successor payload to the Darkside and BlackMatter ransomware families,\r\nwhich were developed by a group Symantec, by Broadcom Software, tracks as Coreid (aka FIN7, Carbon Spider).\r\nDarkside was used in the Colonial Pipeline ransomware attack in May 2021. The extreme amount of public and\r\nlaw enforcement attention that attack attracted led Coreid to shut down Darkside and replace it with BlackMatter.\r\nCoreid runs a ransomware-as-a-service (RaaS) operation, which means it develops the ransomware but it is\r\ndeployed by affiliates for a cut of the profits. The ransomware being deployed by different affiliates can\r\nsometimes explain the different TTPs and attack chains used in Noberus attacks.\r\nNoberus sparked interest when it was first seen in November 2021 because it was coded in Rust, and this was the\r\nfirst time we had seen a professional ransomware strain used in real-world attacks coded in that programming\r\nlanguage. Rust is a notable language as it is cross-platform. Coreid claims that Noberus is capable of encrypting\r\nfiles on Windows, EXSI, Debian, ReadyNAS, and Synology operating systems.\r\nNoberus emerged shortly after BlackMatter announced it was being retired. Coreid sets out in the rules of its\r\naffiliate program that Noberus cannot be used to attack:\r\nThe Commonwealth of Independent States or neighboring countries\r\nOrganizations in or related to the healthcare sector\r\nCharitable or non-profit organizations\r\nAffiliates are also advised to avoid attacking the education and government sectors.\r\nWhen announcing Noberus, Coreid underlined the features that appeared designed to emphasize its superiority to\r\nrival ransomware, including that each advert is provided with an entrance through its own unique onion domain;\r\nthe affiliate program architecturally excludes all possible connections with forums; even if a full-fledged\r\ncommand line shell is obtained, the attacker will not be able to reveal the real IP address of the server, and\r\nencrypted negotiation chats that can only be accessed by the intended victim.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps\r\nPage 1 of 5\n\nThe ransomware also offered two encryption algorithms (ChaCha20 and AES), as well as four encryption modes -\r\nFull, Fast, DotPattern and SmartPattern. Full is the most secure but also the slowest mode. SmartPattern offers\r\nencryption of “N” megabytes in percentage increments. By default, it encrypts with a strip of 10 megabytes every\r\n10 percent of the file starting from the header, which would be an optimal mode for attackers in terms of speed\r\nand cryptographic strength. Sentinel Labs recently published a report where it referred to this kind of encryption\r\nas “intermittent encryption” and mentioned how it had been adopted by certain ransomware operators, including\r\nNoberus, Black Basta, and more. \r\nThe percentage of each ransom that is paid to Noberus affiliates varies depending on the ransom amount. Coreid\r\nhas continuously updated Noberus since its launch in November 2021 to make its operation more efficient. They\r\nwill also cull affiliates if they are not bringing in enough money, encouraging them to “contact less professional\r\nteams”. In December 2021, the ransomware added a new “Plus” role for affiliates that had brought in more than\r\n$1.5 million. It gave access to:\r\nDDoS -  used to target domains with DDoS attacks\r\nCalls - adding a field to indicate the phone numbers of the victim or add a contact number for the affiliate\r\nto communicate directly with victims if they wish\r\nBrute - making it possible to brute force NTDS, Kerberos tickets and other hashes for free\r\nCoreid made a major update to Noberus in June 2022, which included:\r\nIntroducing an ARM build for encryption of non-standard architectures\r\nIntroducing SAFEMODE - Added encryption functionality to the Windows build via rebooting into safe\r\nmode (--safeboot) and safe mode with networking (--safeboot-network)\r\nCoreid also made some updates to the locker, by adding new restart logic, and simplifying the Linux encryption\r\nprocess. In a July 2022 update the team added indexing of stolen data - meaning its data leaks websites can be\r\nsearched by keyword, file type, and more.\r\nThe continuous updating and refining of Noberus’ operations shows that Coreid is constantly adapting its\r\nransomware operation to ensure it remains as effective as possible. The FBI issued a warning in April 2022 saying\r\nthat between November 2021 and March 2022 at least 60 organizations worldwide had been compromised with\r\nthe Noberus ransomware - the number of victims now is likely to be many multiples of that. \r\nNoberus and Exmatter: New version of data exfiltration tool used in ransomware\r\nattacks\r\nIn August 2022, a heavily updated version of the Exmatter (Trojan.Exmatter) data exfiltration tool was observed\r\nbeing used alongside Noberus in ransomware attacks.\r\nExmatter was discovered by Symantec researchers in November 2021 being used alongside the Blackmatter\r\nransomware. It was designed to steal specific file types from a number of selected directories and upload them to\r\nan attacker-controlled server prior to deployment of the ransomware itself on the victim’s network. Even at the\r\ntime of its discovery, various variants of the tool were seen, as its developers continued to refine it to optimize its\r\noperation and expedite exfiltration of a sufficient volume of high-value data in as short a time as possible.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps\r\nPage 2 of 5\n\nThis latest version of Exmatter has reduced the number of file types it attempts to exfiltrate. It will now exfiltrate\r\nfiles with the following extensions only:\r\n.pdf, .doc, .docx, .xls, .xlsx, .png, .jpg, .jpeg, .txt, .bmp, .rdp, .txt, .sql, .msg, .pst, .zip, .rtf, .ipt, .dwg\r\nOther new features include:\r\nAddition of third exfiltration capability (FTP) to SFTP and WebDav, which were present in older versions.\r\nReports: Ability to build a report listing all processed files.\r\nEraser: Can corrupt processed files (not turned on in version analyzed).\r\nSelf-destruct: Configuration option, which, when enabled, will make the tool self-destruct and quit if\r\nexecuted in a non-corporate environment (outside of a Windows domain).\r\nSocks5: Socks5 support was removed.\r\nIn at least one attack, the tool was deployed via GPO.\r\nIn addition to this, the malware was extensively rewritten, and even existing features were implemented\r\ndifferently. This was possibly a bid to avoid detection. Whether Exmatter is the creation of Coreid or a skilled\r\naffiliate of the group is not clear, but its use alongside two different iterations of Coreid’s ransomware is notable.\r\nIts continuous development also underlines the focus of the group on data theft and extortion, and the importance\r\nof this element of attacks to ransomware actors now. \r\nNoberus and Eamfo: Attackers using malware to steal credentials from Veeam\r\nAt least one affiliate of the Noberus ransomware operation was spotted in late August using information-stealing\r\nmalware that is designed to steal credentials stored by Veeam backup software. Veeam is capable of storing\r\ncredentials for a wide range of systems, including domain controllers and cloud services. The credentials are\r\nstored to facilitate the backup of these systems. The malware (Infostealer.Eamfo) is designed to connect to the\r\nSQL database where Veeam stores credentials, and it steal credentials with the following SQL query:\r\nselect [user_name],[password],[description] FROM [VeeamBackup].[dbo].[Credentials]\r\nEamfo will then decrypt and display the credentials.\r\nEamfo appears to have been in existence since at least August 2021 and there is evidence that it has previously\r\nbeen used by attackers using the Yanluowang and LockBit ransomware families. A recent report from BlackBerry\r\nalso detailed Eamfo being used alongside a new ransomware strain it dubbed Monti, which appears to be based on\r\nthe leaked source code of the Conti ransomware. The TTPs used in Monti attacks also closely resemble former\r\nConti attack chains, suggesting those behind Monti may be former affiliates of that group. Conti was developed by\r\na group Symantec tracks as Miner. \r\nStealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral\r\nmovement, providing the attackers with access to more data they can potentially exfiltrate and more machines to\r\nencrypt.\r\nNoberus attacks involving Eamfo seen by Symantec also utilized GMER, a relatively old rootkit scanner that can\r\nbe leveraged by ransomware actors to kill processes. GMER usage by ransomware attackers appears to have\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps\r\nPage 3 of 5\n\nbecome more frequent in recent months, and it was also seen in the Monti attack detailed by BlackBerry.\r\nConclusion\r\nThere’s no doubt that Coreid is one of the most dangerous and active ransomware developers operating at the\r\nmoment. The group has been around since 2012, and became well-known for using its Carbanak malware to steal\r\nmoney from organizations worldwide, with the banking, hospitality and retail sectors among its preferred targets.\r\nThree members of the group were arrested in 2018, and in 2020 the group changed its tactics and launched its\r\nransomware-as-a-service operation. Its continuous development of its ransomware and its affiliate programs\r\nindicates that this sophisticated and well-resourced attacker has little intention of going anywhere anytime soon.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nFile hashes (SHA256)\r\nad5002c8a4621efbd354d58a71427c157e4b2805cb86f434d724fc77068f1c40 – Trojan.Exmatter\r\n8c5b108eab6a397bed4c099f13eed52aeeec37cc214423bde07544b44a62e74a – Ransom.Noberus\r\n78517fb07ee5292da627c234b26b555413a459f8d7a9641e4a9fcc1099f06a3d –Infostealer.Eamfo\r\n9aa1f37517458d635eae4f9b43cb4770880ea0ee171e7e4ad155bbdee0cbe732 –Infostealer.Eamfo\r\ndf492b4cc7f644ad3e795155926d1fc8ece7327c0c5c8ea45561f24f5110ce54 –Infostealer.Eamfo\r\n029dde7c2ec880fb3d3e95e6a8376739b4bc46a0ce24012e064b904e6ecb672c –Ransom.Noberus\r\n72f0981f18b969db2781e874d249d8003c07f99786e217f84cf54a148de259cc –Ransom.Noberus\r\n18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7 – GMER Driver\r\ne8a3e804a96c716a3e9b69195db6ffb0d33e2433af871e4d4e1eab3097237173 – GMER\r\ned6275195cf9fd758fb7f8bce868c14dc9e9d6b7aa6f472f714bce5ed7fabf7f – Masqueraded PAExec\r\n5799d554307906e92749a0c45f21baff28d83b1cedccbf7cb6f2b98ac1b00930 – Masqueraded PAExec\r\nFile Names\r\nsync_enc.exe\r\nwithout_cert.exe\r\nvup.exe\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps\r\nPage 4 of 5\n\nmorph.exe\r\nlocker.exe\r\nisgmer.exe\r\nkgeyauow.sys\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps" ], "report_names": [ "noberus-blackcat-ransomware-ttps" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434716, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23bde92fafd7a78d281ca85f50470912f3d3c9f3.pdf", "text": "https://archive.orkl.eu/23bde92fafd7a78d281ca85f50470912f3d3c9f3.txt", "img": "https://archive.orkl.eu/23bde92fafd7a78d281ca85f50470912f3d3c9f3.jpg" } }