{
	"id": "6eedad31-c3f1-410d-a95e-e8389c337823",
	"created_at": "2026-04-06T01:31:05.667522Z",
	"updated_at": "2026-04-10T03:21:37.036348Z",
	"deleted_at": null,
	"sha1_hash": "705dc7f88fc88447669227f14c43311a85ca2d7c",
	"title": "BlackMatter Ransomware: In-Depth Analysis \u0026 Recommendations | Varonis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1244056,
	"plain_text": "BlackMatter Ransomware: In-Depth Analysis \u0026\r\nRecommendations | Varonis\r\nBy Dvir Sason\r\nPublished: 2021-11-02 · Archived: 2026-04-06 00:39:38 UTC\r\nExecutive Summary\r\nCISA has issued a security bulletin regarding the BlackMatter 'big game hunter' ransomware group following a\r\nsharp increase in cases targeting U.S. businesses. To mitigate these attacks, it is recommended that organizations\r\nemploy multifactor authentication (MFA) as well as updating vulnerable software and systems, such as those that\r\nare commonly exploited by ransomware groups.\r\nBackground\r\nOver the July 4th holiday, REvil attacked Kaseya's customers using a Sodinokibi payload that, amongst its many\r\nindicators of compromise (IOC), included a \"Blacklivesmatter\" registry entry.\r\nNot long after, REvil seemingly disappeared from the dark web, potentially in an attempt to avoid law\r\nenforcement attention or as the result of some take down action.\r\nAside from being an interesting indicator of compromise (IOC) at the time, the \"Blacklivesmatter\" registry entry\r\nseemingly provides an early indication of things to come, namely the formation of a big game hunter ransomware\r\ngroup using the moniker, \"BlackMatter,\" that, based on our research, appears to be an amalgamation of REvil and\r\nDarkside's team members and tradecraft. The groups exhibit strong similarities in their codebases, infrastructure\r\nconfiguration, techniques, and operating philosophies.\r\nREvil and Darkside, as we know, have been two of the most prolific ransomware groups throughout 2020 and\r\n2021, with landmark attacks on Colonial Pipeline and JBS as well as the infamous Travelex incident that saw the\r\norganization and their customers suffering disruption for months.\r\nTargets\r\nWhile mainly targeting Windows based systems, we have observed unique payloads targeting Linux systems, as\r\nwell. Linux payloads don't encrypt data; they act as remote access trojans (RATs) to pivot to other windows-based\r\nmachines.\r\nSince forming BlackMatter in mid-July 2021, the group's first foray seemingly targeted a US-based architecture\r\ncompany in, or around, July 28, 2021, some three weeks after the Kaseya incident.\r\n×\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 1 of 10\n\nFigure 1 - Example BlackMatter Ransom Negotiations\r\nBlackMatter offers threat actors and affiliates access to custom configurable binary payloads for each victim that\r\ninclude unique traits such as a tailored ransom note, often providing proof of the stolen data, as well as the\r\nvictim's name and their identifier.\r\nBased on dark web posts by an identity purporting to be BlackMatter, the group is only interested in targeting\r\nbusinesses with more than $100M annual revenues and they are avoiding networks that were previously\r\ncompromised by Darkside or REvil. To incentivize others to provide access to new potential victim networks,\r\ntheoretically appealing to malicious insider threats as well as initial access operators, the group offers a $100K\r\nbounty.\r\nAs seen in REvil's recruitment activity during 2020, BlackMatter have provided proof and reassurances of their\r\nability to pay any would-be affiliate by depositing 4BTC (~$247K) with the forum.\r\n×\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 2 of 10\n\nFigure 2 - BlackMatter Forum Post\r\nNotably, the group appears to target organizations in English-speaking countries (explicitly listing Australia,\r\nCanada, the United Kingdom, and the United States) although they exclude healthcare and government\r\ninstitutions, likely to avoid local law enforcement action resulting from political pressure, especially in the wake\r\nof an attack that might be considered an act of cyber warfare.\r\nDelivery\r\nUnlike many cyberattacks that rely on phishing to establish a foothold, BlackMatter appears to gain initial access\r\nprimarily via the compromise of vulnerable edge devices and the abuse of corporate credentials obtained from\r\nother sources.\r\nWhile it is possible that some edge cases may see the use of spear-phishing campaigns and malicious document\r\npayloads, leading to the compact ~80kb BlackMatter payload being dropped or downloaded, this has not been\r\nobserved in any investigations we have conducted.\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 3 of 10\n\nIn addition to BlackMatter members exploiting infrastructure vulnerabilities, such as those found in remote\r\ndesktop, virtualization and VPN appliances or servers, initial access operators affiliated with the group will likely\r\nbring their own TTP and may favor exploiting some vulnerabilities over others.\r\nAdditionally, the group are thought to make use of credentials obtained from other sources, such as third-party\r\ncredential leaks, broad phishing campaigns or purchased from dark web marketplaces, taking advantage of\r\ncredential reuse and exploiting organizations that don't enforce multi-factor authentication on internet-facing\r\nservices.\r\nIn many cases, BlackMatter and their affiliates appear opportunistic, happening on vulnerable organizations\r\npotentially based on their susceptibility to a preferred intrusion method rather than investing time and effort\r\ntoward a specific target.\r\nIn other cases, it is apparent that BlackMatter has gained an extensive and intimate knowledge of the victim's\r\ninfrastructure with victim-specific ransomware configurations, including tailored process and service names to\r\nensure they are terminated prior to the encryption phase, as well as an embedded list of high-privilege credential,\r\nthese credentials may include domain administrator or service accounts that provide the the ability to access and\r\nencrypt data throughout the network.\r\nWhat can we say about the payload?\r\nHighly efficient multithreaded executable, written in C, that is only ~80kb in size.\r\nVersion 3.0 hides the configuration in different locations, making it harder to extract and analyze.\r\nTo hide execution flow, every function is decoded, loaded to memory, executed and then purged.\r\nRelies on native Windows cryptography libraries, making the payload much smaller.\r\nEncrypts files using a combination of Salsa20 and 1024-bit RSA keys.\r\nAllows specified file extensions and filenames to be excluded from the encryption process, often to ensure\r\nthat Windows will still boot.\r\nNot specific to BlackMatter and previously used by Darkside and MedusaLocker, a four-year old\r\nICMLuaUtil  COM-based user account control (UAC) bypass impacting Windows 7 thru 10 is used to\r\nelevate privileges (due to it being considered a 'feature' by Microsoft, no fix will be released).\r\nBlackMatter's configuration allows previously acquired credentials to be specified and potentially used\r\nwith the UAC bypass.\r\nEnumerates and deletes shadow copies using the Windows Management Instrumentation Command-Line\r\n(WMIC) utility: IWbemServices::ExecQuery - ROOT\\CIMV2 : SELECT * FROM Win32_ShadowCopy\r\nVictim ID along with the ransom note filename and encrypted file extension is based on the MachineGuid\r\nvalue within the Registry ( HKLM\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid ).\r\nThe resulting encrypted file extension includes nine mixed-case alphanumeric characters along with the\r\nransom note being saved on the victim's desktop and to c:\\%extension%-README.txt , both of which may\r\nevade some dictionary-based detection methods.\r\nEncryption process involves reading the target file, renaming it with the new extension, partially\r\nencrypting and re-writing 1024KB of data.\r\nEnumerates Active Directory environments using native LDAP queries, specifically the built-in computers\r\nfolder LDAP://CN=Computers to identify potential target machines.\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 4 of 10\n\n×\r\nUpdates the victim's desktop wallpaper to inform them of the situation:\r\n       Figure 3 - BlackMatter Wallpaper\r\nSets the Access Control List of encrypted files to \"Everyone\", granting any and all users access.\r\nTo avoid detection and allow file encryption without interference of security controls, BlackMatter\r\nsupports the use of Windows 'safe-mode' with the built-in local administrator account being enabled and set\r\nfor automatic sign in along with the run-once Registry key being set to execute the BlackMatter payload.\r\n×\r\nThe victim-specific ransom note advises the victim of both the data encryption and theft, advising them to install\r\nthe TOR browser bundle so that the dark web negotiation site can be accessed.\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 5 of 10\n\nFigure 4 - Ransom Note\r\nIn the past, REvil and Darkside have avoided the encryption of machines identified as being within countries that\r\nare members of the Commonwealth of Independent States (CIS), based on identifying the country code used by\r\nvictim's keyboard layout.\r\nThis, combined with early cybercrime forum posts indicating that only native Russian speakers are eligible to\r\nwork with the group provides a strong indication that the founding members of the group originate and operated\r\nfrom within the region.\r\nNotably, BlackMatter does not appear to perform the same geolocation checks, perhaps in an attempt to avoid\r\nassociation with the region and their past escapades.\r\nCommand and Control\r\nThe payload will communicate to command-and-control (C2) infrastructure over HTTPS, encrypted using AES.\r\nThe victim sends a beacon including the machine name, OS version and CPU architecture, OS language,\r\nusername, domain name, disk sizes, and potential encryption keys:\r\n×\r\nFigure 5 - C2 Communications\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 6 of 10\n\nThis communication was observed as impersonating the following user-agent strings that may be anomalous in\r\nsome environments:\r\nMozilla/5.0 (Windows NT 6.1)\r\nFirefox/89.0\r\nGecko/20100101\r\nEdge/91.0.864.37\r\nSafari/537.36\r\nPayload Configuration\r\nThe BlackMatter configuration, seemingly a JSON structure, allows the payload to be tailored toward a specific\r\nvictim including:\r\nRSA public key to be used to encrypt the Salsa20 encryption key.\r\nCompany victim ID\r\nAES Key to be used during Salsa20 key initialization (used later in file encryption).\r\nBot malware version, mentioning the payload version.\r\nOdd Crypt Large Files - to further damage large files such as databases.\r\nNeed Make Logon - will attempt to authenticate using the mentioned credentials in the config.\r\nMount units and crypt - attempt to mount volumes and encrypt them.\r\nLook for network shares and AD resources to attempt and encrypt them as well.\r\nProcesses and services exit prior to encryption to ensure maximum impact.\r\nCreating mutex's to avoid detection.\r\nPreparing victim's data and exfiltrating.\r\nDropping ransom notes post file encryption.\r\nC2 domains to communicate over HTTP or HTTPS.\r\n×\r\nSetting a unique ransom note.\r\n       Figure 6 - Payload Configuration\r\nRecommendations\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 7 of 10\n\nEnforce MFA wherever possible.\r\nKeep backup plans well maintained and operational.\r\nEmploy Patch Management processes on externally facing appliances such as VPN's.\r\nContinuously assess external organization posture while looking for accessible devices, such as Exchange\r\nand vCenter servers.\r\nRotate users, admins and service accounts passwords while checking continuously for leaked credentials.\r\nPrepare and practice Incident Response procedures for ransomware attacks.\r\nBlock the mentioned servers and IOC's.\r\nIndicators of Compromise (IOCs)\r\nSHA256 Windows payloads:\r\n1. 02ec55a8f4f97a84370ca72b03912ae8625d344b7bd1af92a2de4b636183f2ab\r\n2. 072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486\r\n3. 0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4\r\n4. 14a3e308c90183b3785b6c26ec40d29405361cd8dec204a62235733401bf5f5c\r\n5. 1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849\r\n6. 1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2\r\n7. 20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41\r\n8. 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6\r\n9. 2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c\r\n10. 2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c\r\n11. 2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009\r\n12. 2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd\r\n13. 2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2\r\n14. 3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117\r\n15. 3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40\r\n16. 4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91\r\n17. 4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b\r\n18. 520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57\r\n19. 5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa\r\n20. 668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6\r\n21. 66e6563ecef8f33b1b283a63404a2029550af9a6574b84e0fb3f2c6a8f42e89f\r\n22. 6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db\r\n23. 6e846881115448d5d4b69bf020fcd5872a0efef56e582f6ac8e3e80ea79b7a55\r\n24. 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d\r\n25. 730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4\r\n26. 77340f01535db5c80c1f3e725a8f8de17bb227f567b8f568dd339be6ddacf60e\r\n27. 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984\r\n28. 8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac\r\n29. 86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94\r\n30. 8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 8 of 10\n\n31. 8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539\r\n32. 98227953d55c5aee2271851cbea3680925d4d0838ee0d63090da143c8d71ac55\r\n33. 9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\r\n34. 9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a\r\n35. a5cdca5a8120b5532f6de3395b9b6d411ad9234b857ce17bb3cc5747be6a7dd2\r\n36. b0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a\r\n37. b1891a5375198e262dfe6f83a89574e7aa438f41e2853d5d31e101bcec95cbf3\r\n38. b3e82b43750c7d0833f69abd3d31751c9e8face5063573946f61abbdda513eb8\r\n39. b4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7\r\n40. b824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f\r\n41. c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99\r\n42. c728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe\r\n43. cf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7\r\n44. d4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82\r\n45. d4647619fa2dc8fef5560d1662cbee6eb7dc95298dd40edf12dd4c8ee902d767\r\n46. daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720\r\n47. e146f17a53300e19ec480d069b341688127d46198ff0fdd0e059914130d56f56\r\n48. e4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d\r\n49. e9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4\r\n50. eaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b\r\n51. eafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1\r\n52. ed47e6ecca056bba20f2b299b9df1022caf2f3e7af1f526c1fe3b8bf2d6e7404\r\n53. f32604fba766c946b429cf7e152273794ebba9935999986b7e137ca46cd165fc\r\n54. f7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884\r\n55. fe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2\r\nSHA256 Linux payloads:\r\n1. 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502\r\n2. d4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82\r\nDomains:\r\nnowautomation[.]com\r\nfluentzip[.]org\r\nmojobiden[.]com\r\npaymenthacks[.]com\r\nIP addresses:\r\n99.83.154[.]118\r\n×\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 9 of 10\n\nDvir Sason Dvir manages the Varonis Research Team. He has ~10 years of Offensive \u0026 Defensive security\r\nexperience, focusing on red teaming, IR, SecOps, governance, security research, threat intel, and cloud security.\r\nCertified CISSP and OSCP, Dvir loves to solve problems, coding automations (PowerShell ❤, Python), and\r\nbreaking stuff.\r\nSource: https://www.varonis.com/blog/blackmatter-ransomware/\r\nhttps://www.varonis.com/blog/blackmatter-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.varonis.com/blog/blackmatter-ransomware/"
	],
	"report_names": [
		"blackmatter-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439065,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/705dc7f88fc88447669227f14c43311a85ca2d7c.pdf",
		"text": "https://archive.orkl.eu/705dc7f88fc88447669227f14c43311a85ca2d7c.txt",
		"img": "https://archive.orkl.eu/705dc7f88fc88447669227f14c43311a85ca2d7c.jpg"
	}
}