{
	"id": "5d53dee6-30c3-4910-89e4-92ca6ef35bf7",
	"created_at": "2026-04-10T03:21:27.298648Z",
	"updated_at": "2026-04-10T03:22:17.420766Z",
	"deleted_at": null,
	"sha1_hash": "71140efad330d9aaddf49ca3c91223ffc43acf62",
	"title": "BlackMatter: Ransomware Group Seeks Affiliates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1141382,
	"plain_text": "BlackMatter: Ransomware Group Seeks Affiliates\r\nBy cybleinc\r\nPublished: 2021-08-05 · Archived: 2026-04-10 02:47:37 UTC\r\nCyble's reep-dive research on the emerging BlackMatter ransomware group that is looking for cybercriminals with\r\naccess to the networks of their potential targets.\r\nA new ransomware group is emerging on the darkweb, looking for affiliates to start its operations. This group calls\r\nitself BlackMatter and has posted ads on two cybercrime forums named Exploit[.]in, and XSS[.]is. The\r\nBlackMatter ransomware group is seeking cybercriminals already having access to the potential target’s networks.\r\nIn RaaS, the ransomware group creates ransomware and a platform to manage the possible targets and victims.\r\nCategory Surface Web\r\nRisk Score High\r\nTLP Rating White\r\nAPT Group N/A\r\nThreat Name BlackMatter\r\nTarget\r\nFirms with revenue of $100 Million and\r\nmore\r\nAffected Region United States of America, Canada, Australia, and Great Britain.\r\nThreat\r\nDescription\r\nNew ransomware group looking for affiliates for ransomware\r\noperations.\r\nBlackMatter Threat Summary (Available to enterprise customers since July 21)\r\nTechnical Analysis:\r\nCyble Research Labs found the post on XSS[.]is by the threat actor named BlackMatter, as shown in Figure 1. In\r\nthe post, the TA has mentioned the conditions required for affiliates to join them, which are as follows:\r\nCorporate Networks should be from one of the following countries: the United States of America, Canada,\r\nAustralia, and Great Britain.\r\nThey are targeting all organizations except the medical industry and government institutions.\r\nThe revenue of the target organization should be more than $100 million and should be having 500-1500\r\nhosts.\r\nhttps://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nPage 1 of 6\n\nThe networks on which other actors have already tried attacks are excluded from the target list.\r\nFigure 1 BlackMatter group posted an ad for affiliates posted on XSS.is\r\nThe TA has given two options for affiliation. The first option offers to buy network access for an amount ranging\r\nfrom $3k to $100k. In the second option, affiliates may work with the group in place of a percentage in ransom.\r\nOnce the affiliates are selected, they need to deposit $120,000 to the group to participate in their ransomware\r\nactivity.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nThe TA has posted a similar threat post on another cybercrime forum named Exploit[.]in. The TA post is shown in\r\nhttps://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nPage 2 of 6\n\nFigure 2.\r\nFigure 2 BlackMatter group posted an ad for affiliates posted on Exploit[.]in\r\nWe found that the leak website of the BlackMatter ransomware group is hosted in the TOR network (Figure 3).\r\nThe Home page shows buttons for media updates and contact. The Home page displays the message, “All blogs\r\nhidden for now. For a very short time.” It indicates that the group has started its operations.\r\nFigure 3: Home page of the BlackMatter Ransomware.\r\nWhen we clicked on the button for media updates, we were redirected to the Media page, as shown in Figure 4. It\r\nalso displays information such as excluded targets and messages to the media. Following is the list of excluded\r\ntargets:\r\nhttps://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nPage 3 of 6\n\nHospitals.\r\nCritical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).\r\nOil and gas industry (pipelines, oil refineries).\r\nDefense industry.\r\nNon-profit companies.\r\nGovernment sector.\r\nReferring to the above list, we can say that the ransomware group is targeting private organizations so that they\r\ncan continue their operations without getting media attention. We can imply that attackers are aware of the\r\nconsequences of compromising highly sensitive targets. Based on rules and about us information given on the\r\nBlackMatter ransomware leak website, we suspect that this group has close connections with the DarkSide\r\nransomware group. We presume that the group is only interested in the money.\r\nFigure 4 Media page of the BlackMatter Ransomware group.\r\nFigure 4 shows the contact page of the BlackMatter Ransomware through which people can contact the\r\nransomware group.\r\nhttps://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nPage 4 of 6\n\nFigure 5 Contact page of the BlackMatter Ransomware.\r\nConclusion:\r\nThe BlackMatter ransomware group tries to gain access to critical servers from other threat actors in order to\r\nlaunch its campaign. Organizations should perform security scanning and immediate patching of known\r\nvulnerabilities using various processes such as Vulnerability Assessment and Penetration Testing (VAPT), Red\r\nteaming, and Purple teaming.\r\nCyble Research Labs is continuously monitoring BlackMatter activities. We will keep informing our clients with\r\nrecent updates about this campaign.\r\nOur Recommendations:\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nAbout Us\r\nhttps://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nPage 5 of 6\n\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit www.cyble.com. \r\nSource: https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nhttps://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/"
	],
	"report_names": [
		"blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates"
	],
	"threat_actors": [],
	"ts_created_at": 1775791287,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71140efad330d9aaddf49ca3c91223ffc43acf62.pdf",
		"text": "https://archive.orkl.eu/71140efad330d9aaddf49ca3c91223ffc43acf62.txt",
		"img": "https://archive.orkl.eu/71140efad330d9aaddf49ca3c91223ffc43acf62.jpg"
	}
}