{
	"id": "5ebbeccb-2cbb-43cc-91d2-7a3457916855",
	"created_at": "2026-05-05T02:46:25.190284Z",
	"updated_at": "2026-05-05T02:46:36.760144Z",
	"deleted_at": null,
	"sha1_hash": "773df0669dde750242796eae846b900f83a9338b",
	"title": "The Darker Things",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4089290,
	"plain_text": "The Darker Things\r\nArchived: 2026-05-05 02:43:16 UTC\r\nToday, on November 3, BlackMatter gang announced it was shutting its Ransomware-as-a-Service program due to the\r\n“pressure from the authorities”.\r\nHowever, it doesn’t mean that BlackMatter’s affiliates will stop malicious activity. They will most likely join other RaaS\r\nprograms. In addition, this might just be an attempt to have a fresh start under a different name. Just like BlackMatter was a\r\nrebranding of DarkSide, a new successor may appear soon. Therefore, given the similarities that we observed between\r\nDarkSide and BlackMatter ransomware back in August, it’s important to be aware of the latest ransomware versions’\r\nfeatures: malware configuration, encryption mechanisms in use etc.\r\nFor this purpose the experts from Group-IB’s Digital Forensics and Incident Response Team analyzed new BlackMatter\r\nsamples for Windows and Linux, Andrey Zhdanov, Group-IB’s threat hunter, will share new data on his findings.\r\nA US architectural firm was among the first to fall victim to BlackMatter in late July 2021. Since then, the BlackMatter\r\noperators’ appetites have grown considerably, the frequency of attacks has increased, and the threat actors seem to have\r\nbeen constantly improving their tools. The average ransom demand is $5.3 million, with the maximum, which the attackers\r\ndemanded from Japan’s Olympus Corporation, reaching $30 million.\r\nBlackMatter affiliates try their best to pick their victims carefully, so as not to draw too much attention, but they are not\r\nexactly succeeding. Since the first BlackMatter attacks were reported, they have received a lot of very close attention from\r\nthreat researchers. And on 18 October 2021, the CISA, FBI, and NSA issued joint recommendations, naming BlackMatter\r\nransomware responsible for attacks on U.S. critical infrastructure that had begun in July 2021. As of November 2021, the list\r\nof BlackMatter victims consists of more than 50 companies based in the US, Austria, Italy, France, Japan, and other\r\ncountries.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 1 of 18\n\nBlackMatter for Windows\r\nDepending on command line parameters, ransomware for Windows can operate in five different modes. We were able to\r\nobtain command line arguments based on analysis of their hashes.\r\n–path [PATH] – encryption of the specified object (directory, file, network resource).\r\n–safe – self-registration in the RunOnce key of system registry, reboot for file encryption in safe mode.\r\n–wall – creating a BMP image with information about encryption of files and setting it as the desktop wallpaper.\r\n[PATH] – encryption of a specified directory/file.\r\nWhen other parameters are set or any parameters are absent, the system is fully encrypted according to the configuration\r\nsettings. Upon completing the encryption, the ransomware creates a BMP image alerting that files have been encrypted,\r\nwhich it then sets as the desktop wallpaper. Starting from version 1.4, the ransomware can also print the text of the demand\r\nfor ransom on the victim’s default printer.\r\nWhen BlackMatter launches, it checks the rights of the current user and, if necessary, tries to bypass the UAC (User\r\nAccount Control) through privilege escalation using the ICMLuaUtil COM interface. Also, if the appropriate flag is set in\r\nthe configuration, it attempts to authenticate using the credentials contained in the configuration data.\r\nBefore starting the encryption, BlackMatter deletes shadow copies of partitions using WQL queries (WMI Query\r\nLanguage).\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 2 of 18\n\nTo encrypt files, BlackMatter uses the most efficient multithreading implementation based on the use of the I/O\r\n(input/output) completion port. The malware also sets the highest priority (THREAD_PRIORITY_HIGHEST) for the file\r\nenumeration and encryption streams. By default, only the first megabyte of file contents is encrypted. In earlier versions,\r\ndata was encrypted using Salsa20. Apparently, the authors of BlackMatter, just like the authors of another extortionist Petya\r\nfive years ago, made mistakes in the implementation of the Salsa20 algorithm. Starting from version 1.9, the contents of the\r\nfiles are encrypted already using a modified version of the implementation of the ChaCha20 algorithm, presumably taken\r\nfrom CryptoPP library. Furthermore, the ChaCha20 encryption algorithm is implemented using SSSE3 processor\r\ninstructions. ChaCha20 keys are encrypted using the RSA-1024 public key. A data block with an encrypted key is appended\r\nto the end of the file. The names of the encrypted files are as follows:\r\n[FILENAME].[VICTIM_ID]\r\nFILENAME – is the original name of the file.\r\nVICTIM_ID – is the victim ID generated on the basis of the string contained in the MachineGuid value of the\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography registry key.\r\nThe BlackMatter configuration contains the names of directories, files and extensions skipped during the encryption\r\nprocess as lists of checksums (hashes).\r\nIn each processed directory, the ransomware creates text files containing the demand for ransom:\r\n[VICTIM_ID].README.txt\r\nConfiguration\r\nThe BlackMatter configuration data for Windows is contained in a section disguised as a “.rsrc” resource section, but there\r\nare no resources in it.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 3 of 18\n\nThe first 64-bit number (0F8B2AB512017D0F5h) in the section represents the initial value for the pseudo-random sequence\r\ngenerator (random seed) used to encrypt the program data. The next 32-bit value represents the actual size of the\r\nconfiguration data. Prior to encryption, the configuration data was pre-compressed using the aPLib compression algorithm,\r\nwhich is popular among ransomware developers. Previously, this algorithm was found, for example, in such ransomware\r\nfamilies as DarkSide, DoppelPaymer, Clop, and others.\r\nConfiguration data after decryption and decompression.\r\nOffset Description\r\n000h RSA-1024 public key.\r\n080h ‘bot-company’ 16-bit Company ID\r\n090h AES-128 ECB key for encrypting data that is transmitted to the threat actors.\r\n0A0h Logical one-byte flags that define the ransomware settings.\r\nVersion below\r\n1.9\r\n0A8h Offset table of configuration parameter values.\r\n0D0h Configuration parameter values.\r\nVersion 1.9\r\nand higher\r\n0A9h Offset table of configuration parameter values.\r\n0D1h\r\nChecksum of the contents of the text file containing the ransom demand. This checksum is used by\r\nransomware to avoid the encryption of its text files containing the demand for ransom.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 4 of 18\n\nOffset Description\r\n0D5h Configuration parameter values.\r\nLogical flags that indicate the ransomware settings:\r\nFlag\r\nindex\r\nDescription\r\n0 Encryption of one-megabyte blocks in large files at intervals that depend on the file size\r\n1 Attempt authentication using the credentials contained in the configuration\r\n2 Mount partitions and encrypt files on them. Starting from version 1.4, if this flag is set, Microsoft Exchange\r\nfiles contained in the “%ExchangeInstallPath%\\Mailbox” directory are also encrypted\r\n3\r\nEncrypt files on available network resources. The program also lists Active Directory computers using\r\nLDAP queries.\r\n4\r\nTerminate processes that contain the specified substrings in their names. The list of substrings is contained in\r\nthe configuration data.\r\n5 Stop and delete services. A list of service names is contained in the configuration data.\r\n6\r\nCreate and check the mutex: Global\\[MUTEX_NAME] MUTEX_NAME – is the mutex name generated\r\nfrom the string from the MachineGuid registry parameter.\r\n7 Print the text file with the ransom demand when the encryption is complete (version 1.9 and higher).\r\n8\r\nTransmit data about the compromised system and encryption results to threat actors. Information in\r\nencrypted form (AES-128 ECB) is sent as HTTP POST requests. The list of addresses is contained in the\r\nconfiguration data.\r\nOffset table of configuration parameter values\r\nThe table contains 32-bit numbers that represent offsets relative to the beginning of the list itself to the rest of the\r\nconfiguration data fields as Base64 strings, ending with a null byte. If the offset is 0, there is no field value.\r\nOffset Description\r\n00h Offset the list of checksums of directory names that are skipped during encryption\r\n04h Offset the list of checksums of files that are skipped during encryption\r\n08h Offset the list of checksums of file extensions skipped during encryption\r\n0Ch Offset the list of checksums of computer names that are not encrypted in safe mode (version 1.9 and higher)\r\n10h Not used\r\n14h Offset the list of process name substrings\r\n18h Offset the list of service names\r\n1Ch Offset the list of internet addresses for transmitting identification data\r\n20h Offset the encrypted list of credentials\r\n24h Offset the encrypted contents of the text file that contains the ransom demand\r\nKnown versions\r\nVersion\r\nPE\r\ntimestamp\r\n(UTC)\r\nDescription\r\n1.2\r\n2021-07-23\r\n20:51:18\r\nThe first detected version of BlackMatter that was used for an attack.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 5 of 18\n\nVersion\r\nPE\r\ntimestamp\r\n(UTC)\r\nDescription\r\n2021-07-23\r\n20:51:30\r\nDLL implementation of the ransomware. Some of the detected samples were contained in\r\nobfuscated PowerShell scripts and were injected into the current PowerShell process when\r\nthe scripts were run.\r\n1.4\r\n2021-07-29\r\n18:00:47\r\n1) Added the ability to encrypt Microsoft Exchange files. 2) Once encryption is complete,\r\nthe text file containing the ransom demand is sent to the default printer.\r\n1.6\r\n2021-08-03\r\n18:10:59\r\nThe text file containing the ransom demand is not printed if the default printer name\r\ncontains the substring “PDF”.\r\n2021-08-03\r\n18:11:09\r\nDLL implementation of the ransomware. The detected samples were contained in\r\nobfuscated PowerShell scripts and were injected into the current PowerShell process when\r\nthe scripts were run.\r\n1.9\r\n2021-08-12\r\n22:22:01\r\n1) Use of the ChaCha20 streaming encryption algorithm to encrypt the contents of the files.\r\n2) Files with the extensions “mdf”, “ndf”, “edb”, “mdb” and “accdb” are encrypted as big\r\nfiles regardless of the value of the corresponding flag in the configuration. 3) A list of\r\nchecksum names of computers that are not encrypted in safe mode has been added to the\r\nconfiguration.4) A flag has been added to the configuration to print the text file containing\r\nthe ransom demand on the default printer after encryption is complete. 5) Added the\r\nchecksum for the text file containing the demand for ransom to the configuration.\r\n2.0\r\n2021-08-16\r\n07:13:07\r\nChanged the program data encryption algorithm.\r\n2021-09-26\r\n08:10:51\r\nWhen the text file containing the ransom demand is printed, it checks the port name instead\r\nof the default printer name. Printing is not possible if the default printer port name is\r\n“XPSPort:”, “SHRFAX:”, “FILE:” or “PORTPROMPT:”\r\n2021-09-26\r\n08:10:44\r\nDLL implementation of the ransomware. The detected samples were contained in\r\nobfuscated PowerShell scripts and were injected into the current PowerShell process when\r\nthe scripts were run.\r\n3.0\r\n2021-10-22\r\n15:32:08\r\n1) The encryption of program data has been changed. 2) The implementation of the\r\nChaCha20 encryption algorithm has been changed. 3) Protection of memory blocks with\r\nkey information from viewing by other users. 4) The encryption of large files has been\r\nchanged. 5) With the exception of image files (png, gif, jpg), the names of encrypted files\r\nare replaced with 7 random characters. 6) The program extracts an icon (icon) that is\r\nassociated in the system with the extension of encrypted files (VICTIM_ID).\r\nBlackMatter for Linux\r\nBlackMatter ransomware for Linux targets VMware ESXi servers. According to the settings in the configuration data,\r\nthe ransomware can stop virtual machines and terminate specified processes before data encryption. The ransomware also\r\ndisables the firewall. To encrypt virtual machine files, the ransomware uses the esxcli utility to obtain a list of storages with\r\n“vmfs”, “vffs” and “nfs” file systems.\r\nBlackMatter for Linux implements multithreaded file encryption with the extensions specified in the configuration. Data is\r\nencrypted in blocks that are multiples of one megabyte using the HC-256 stream encryption algorithm. HC-256 keys are\r\nencrypted using the RSA-4096 public key. The CryptoPP crypto library is used to implement encryption algorithms.\r\nData transferring to the attacker-controlled resources on the internet is implemented in the malware using the libcurl library.\r\nConfiguration\r\nBlackMatter configuration data for Linux is contained in the “.cfgETD” section of the ELF file. The data is encrypted,\r\ncompressed using the zlib data compression library, and encoded using Base64.\r\nEncrypted configuration data after Base64 decoding and zlib decompression:\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 6 of 18\n\nConfiguration data is encrypted using a cyclic bytewise XOR operation using the key contained in the first 32 bytes.\r\nAfter decryption, the configuration data is in JSON format.\r\nConfiguration parameters\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 7 of 18\n\nParameter Description\r\nrsa RSA public encryption key in PEM format (Base64 encoded DER).\r\nremove-self\r\n(true, false)\r\nDelete itself upon completion.\r\nworker-concurrency\r\nNumber of encryption threads (0 – by the number of processors).\r\ndisk\r\nenable (true,\r\nfalse)\r\nEncrypt files on a disk.\r\ntype (single,\r\nmultiple)\r\nEncryption mode.\r\ndark-size Maximum size of encrypted data within a file in megabytes.\r\nwhite-size Maximum size of unencrypted data in megabytes (used in multiple mode).\r\nmin-size Minimum size of encrypted files in megabytes (0 – default is 1 MB).\r\nextension-list List of extensions for files subject to encryption.\r\nlog\r\nenable (true,\r\nfalse)\r\nCreate and maintain a report file.\r\nlevel (verbose,\r\ninfo)\r\nReport depth.\r\npath Path to the report file.\r\nmessage\r\nenable (true,\r\nfalse)\r\nCreate a text file containing a ransom demand.\r\nfile-name Name of the text file.\r\nfile-content Contents of the text file.\r\nlanding\r\nenable (true,\r\nfalse)\r\nTransmit information about the compromised system and encryption results.\r\nInformation in encrypted form (AES-128 ECB) is sent as HTTP POST\r\nrequests.\r\nbot-id\r\nCompany ID (the value is identical to bot_company from the Windows\r\nversion).\r\nkey AES-128 ECB encryption key for encrypting data being transmitted.\r\nurls List of internet addresses for transmitting identification data.\r\nkill-vm\r\nenable (true,\r\nfalse)\r\nStop virtual machines.\r\nignore-list Allow list of virtual machine names.\r\nkill-process\r\nenable (true,\r\nfalse)\r\nTerminate processes.\r\nlist List of processes to be terminated.\r\nKnown versions\r\nVersion Description\r\n1.6.0.2 The first identified version of BlackMatter for Linux used for the attack.\r\n1.6.0.4 Minor changes.\r\nVictims and threat actors\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 8 of 18\n\nTo identify its victims, BlackMatter uses a unique 16-byte identifier contained in the configuration data: company_id\r\n(Windows version) and bot-id (Linux version). For each victim, the attackers create a Tor chat room for communication. The\r\nlink to this chat is specified in the text file containing the ransom demand.\r\nWhen the ultimatum expires, the threat actors double the ransom amount, and later publish the stolen documents after the\r\nvictim refuses to pay.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 9 of 18\n\nInitially, these chats were public, and many people were privy to the correspondence between BlackMatter “tech support”\r\nand their victims and even tried to outwit them.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 10 of 18\n\nSource: https://twitter.com/ddd1ms/status/1441044423798820889\r\nOn September 23, 2021, BlackMatter partners closed public access to chat rooms, and now a session key is required to log\r\nin, which requires verification of the company and confirmation of the victim’s affiliation.\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 11 of 18\n\nhttps://blog.group-ib.com/blackmatter2\r\nPage 12 of 18\n\nVictimology\r\nCompany_id IDs and Tor links extracted from the ransomware and text files containing the ransom demand.\r\ncompany_id TOR link\r\n512478c08dada2af19e49808fbda5b0b http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/7NT6LXKC1XQHW5\r\n5ecf7b9cde33f85a3eec9350275b5c4f http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/OR7OTLBK8D5UVH\r\ncaa0d21adc7bdc4dc424497512a8f37d http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/8ZHJ2G2FJDX9JSH\r\n32bd08ad5e5e881aa2634621d611a1a5 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/OYPF561W4U8HVA\r\ne4aaffc36f5d5b7d597455eb6d497df5 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/5AZHJFLKJNPOJ4F5\r\nb8726db5d916731db5625cfc30c4f7d9 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/5PBOYRSETHVDBD\r\n0c6ca0532355a106258791f50b66c153 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/RSW33BDOYPLWM\r\n506d1d0f4ed51ecc3e9cf1839a4b21a7 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/6O5KBMY42CFGLL\r\n10d51524bc007aa845e77556cdcab174 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.].onion/9MDXJ6LXOUEK84A\r\n879194e26a0ed7cf50f13c681e711c82 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/9YDGH04DC6ZS7R\r\n90a881ffa127b004cec6802588fce307 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/X3452I2VDTHM30QX\r\n58c572785e542f3750b57601df612fc4 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/YX6RXMC65MRX8L\r\nbab21ee475b52c0c9eb47d23ec9ba1d1 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/GDBJS76DH3D4IKQD\r\n28cc82fd466e0d0976a6359f264775a8 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/EBVCVJNCPM6A3NK\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 13 of 18\n\ncompany_id TOR link\r\n24483508bccfe72e63b26a1233058170 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/0JOA98TDMXLHJ77V\r\n04bdf8557fa74ea0e3adbd2975efd274 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/A9K0IM6DK7ILWAV\r\n64139b5d8a3f06921a9364c262989e1f http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/9BEBTCZQN6BQJ9\r\n5791ae39aeab40b5e8e33d8dce465877 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/LEOYRMQLSRHFG\r\nd58b3b69acc48f82eaa82076f97763d4 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/O3KTUJZRE6CB4Q1\r\nb0e039b42ef6c19c2189651c9f6c390e http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/LH2WLI60XU9O283R\r\n6bed8cf959f0a07170c24bb972efd726 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/GBSLNRB4NL0OG6\r\nb368c1ee6bca2086d8169628466c0d3b http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/IRCWUUXN0Y4BIF\r\n14a875a2bd63041b2b3e5c323e8d5eee http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.[.]onion/D4MX4VGFCMO7M\r\nd73c69209fbe768d5fa7ffbcad509c66 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/1ILW209PJZUAJJEX\r\nd0e84579a05c8e92e95eee8f5d0000e5 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/5PRYG0PCO2OW528\r\n30f784136940874b4eb68188a3bfb246 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/24HUMRRAZYQND\r\n207aab0afc614ac68359fc63f9665961 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/EWX33VYY3IGOX\r\n3e8e2ab5fbb392508535983b7446ba17 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/S2A4H6RGPHHLU1\r\n09c87c28bed23dbe6ff5aa561d38766b http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/Q0DVRYWVDUGDD\r\n6e46d36711d8be390c2b8121017ab146 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/HCWB50PNECHW5C\r\n4e591a315c54e8800dae714320555fa5 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/U6H6RKDF6W3B8X\r\n0361b6a1f37016ed147e7617a3c08300 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/QLA44XK2K4K1RZL\r\na77ac611487df21715d824d8ccbf3f6a http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/TMWRS0D3MP750FU\r\nb61fd808b57c1cab3824a887857bf6a8 http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/EXJ0CFHWOZIISIE\r\n610e4366504d4d2848359d75d84ec295 http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion/Z1DHIS62B9LUNC74\r\nhttp://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd[.]onion/OERPnbmCxAOFXV\r\nAs mentioned above, BlackMatter partners are trying not to draw attention to their activities, so the threat actors\r\nchoose small and medium-sized businesses as the targets of their attacks. However, the attacks on Olympus and NEW\r\ncooperative caused a public outcry.\r\nIndicators of compromise\r\nC\u0026C\r\narrow_drop_down\r\nhttps://paymenthacks[.]com\r\nhttp://paymenthacks[.]com\r\nhttps://mojobiden[.]com\r\nhttp://mojobiden[.]com\r\nhttps://nowautomation[.]com\r\nhttp://nowautomation[.]com\r\nhttps://fluentzip[.]org\r\nhttp://fluentzip[.]org\r\nSHA-256\r\narrow_drop_down\r\nBlackMatter for Windows v1.2\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 14 of 18\n\n072158f5588440e6c94cb419ae06a27cf584afe3b0cb09c28eff0b4662c15486\r\n22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6\r\n2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009\r\n3a03530c732ebe53cdd7c17bee0988896d36c2b632dbd6118613697c2af82117\r\n4ad9432cc817afa905bab2f16d4f713af42ea42f5e4fcf53e6d4b631a7d6da91\r\n6155637f8b98426258f5d4321bce4104df56c7771967813d61362c2118632a7b\r\n668a4a2300f36c9df0f7307cc614be3297f036fa312a424765cdb2c169187fe6\r\n72687c63258efe66b99c2287748d686b6cca2b0eb6f5398d17f31cb46294012c\r\n7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984\r\nc6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99\r\nc728e3a0d4a293e44314d663945354427848c220d05d5d87cdedd9995fee3dfe\r\nf63c6d08ebfba65173763c61d3767667936851161efa51ff4146c96041a02b20\r\n84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f\r\nBlackMatter Decryptor for Windows v1.3\r\na6e14988d91f09db44273c79cba51c16b444afafa37ba5968851badb2a62ef27\r\nBlackMatter for Windows v1.4\r\n7c642cdeaa55f56c563d82837f4dc630583b516a5d02d5a94b57b65489d74425\r\ncf60d0d6b05bfe2e51ca9dac01a4ae506b90d78d8d9d0fc266e3c01d8d2ba6b7\r\nBlackMatter for Windows v1.6\r\n6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db\r\n86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94\r\nb824bbc645f15e213b4cb2628f7d383e9e37282059b03f6fe60f7c84ea1fed1f\r\ne4fd947a781611c85ea2e5afa51b186de7f351026c28eb067ad70028acd72cda\r\nBlackMatter for Windows v1.9\r\n2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c\r\nBlackMatter for Windows v2.0 (2021-08-16)\r\n0751c422962dcd500d7cf2cf8bf544ddf5b2fe3465df7dd9b9998f6bba5e08a4\r\n1c63a4fdee1528429886a0de5e89eaa540a058bf27cd378b8d139e045a2f7849\r\n1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2\r\n20742987e6f743814b25e214f8b2cd43111e2f60a8856a6cca87cafd85422f41\r\n2cdb5edf3039863c30818ca34d9240cb0068ad33128895500721bcdca70c78fd\r\n2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2\r\n3a4bd5288b89aa26fbe39353b93c1205efa671be4f96e50beae0965f45fdcc40\r\n4be85e2083b64838fb66b92195a250228a721cdb5ae91817ea97b37aa53f4a2b\r\n520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57\r\n5da8d2e1b36be0d661d276ea6523760dbe3fa4f3fdb7e32b144812ce50c483fa\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 15 of 18\n\n66e6563ecef8f33b1b283a63404a2029550af9a6574b84e0fb3f2c6a8f42e89f\r\n706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d\r\n8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac\r\n8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539\r\n9cf9441554ac727f9d191ad9de1dc101867ffe5264699cafcf2734a4b89d5d6a\r\nb0e929e35c47a60f65e4420389cad46190c26e8cfaabe922efd73747b682776a\r\nb4b9fdf30c017af1a8a3375218e43073117690a71c3f00ac5f6361993471e5e7\r\ncb5a89a31a97f8d815776ff43f22f4fec00b32aae4f580080c7300875d991163\r\ne4a2260bcba8059207fdcc2d59841a8c4ddbe39b6b835feef671bceb95cd232d\r\ne9b24041847844a5d57b033bf0b41dc637eba7664acfb43da5db635ae920a1b4\r\neaac447d6ae733210a07b1f79e97eda017a442e721d8fafe618e2c789b18234b\r\neafce6e79a087b26475260afe43f337e7168056616b3e073832891bf18c299c1\r\nf7b3da61cb6a37569270554776dbbd1406d7203718c0419c922aa393c07e9884\r\n496cd9b6b6b96d6e781ab011d1d02ac3fc3532c8bdd07cae5d43286da6e4838d\r\nBlackMatter for Windows v2.0 (2021-09-26)\r\n2aad85dbd4c79bd21c6218892552d5c9fb216293a251559ba59d45d56a01437c\r\n4524784688e60313b8fefdebde441ca447c1330d90b86885fb55d099071c6ec9\r\n5236a8753ab103634867289db0ba1f075f0140355925c7bd014de829454a14a0\r\n69e5f8287029bcc65354abefabb6854b4f7183735bd50b2da0624eb3ae252ea8\r\n730f2d6243055c786d737bae0665267b962c64f57132e9ab401d6e7625c3d0a4\r\n8eada5114fbbc73b7d648b38623fc206367c94c0e76cb3b395a33ea8859d2952\r\nccee26ea662c87a6c3171b091044282849cc8d46d4b9b9da6cf429b8114c4239\r\ned47e6ecca056bba20f2b299b9df1022caf2f3e7af1f526c1fe3b8bf2d6e7404\r\nfe2b2beeff98cae90f58a5b2f01dab31eaa98d274757a7dd9f70f4dc8432a6e2\r\n26a7146fbed74a17e9f2f18145063de07cc103ce53c75c8d79bbc5560235c345\r\nBlackMatter for Windows v3.0 (2021-10-22)\r\n7a223a0aa0f88e84a68da6cde7f7f5c3bb2890049b0bf3269230d87d2b027296\r\n9bae897c19f237c22b6bdc024df27455e739be24bed07ef0d409f2df87eeda58\r\n2f20732aaa3d5ce8d2efeb37fe6fed7e73a29104d8227a1160e8538a3ee27dad\r\n9a8cd3a30e54a2ebb6d73fd7792ba60a6278a7301232321f226bb29fb8d0b3d6\r\nBlackMatter for Linux v1.6.0.2\r\n1247a68b960aa81b7517c614c12c8b5d1921d1d2fdf17be636079ad94caf970f\r\n6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502\r\nBlackMatter Decryptor for Linux v1.6.0.2\r\n1247a68b960aa81b7517c614c12c8b5d1921d1d2fdf17be636079ad94caf970f\r\n6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 16 of 18\n\nBlackMatter for Linux v1.6.0.4\r\nd4645d2c29505cf10d1b201826c777b62cbf9d752cb1008bef1192e0dd545a82\r\nYARA rules\r\n/*\r\nBlackMatter ransomware\r\n*/\r\nimport \"elf\"\r\nrule DarkSide_BM\r\n{\r\n meta:\r\n author = \"Andrey Zhdanov\"\r\n company = \"Group-IB\"\r\n family = \"ransomware.darkside_blackmatter\"\r\n description = \"DarkSide/BlackMatter ransomware Windows payload\"\r\n severity = 10\r\n score = 100\r\n strings:\r\n $h1 = { 64 A1 30 00 00 00 8B B0 A4 00 00 00 8B B8 A8 00\r\n 00 00 83 FE 05 75 05 83 FF 01 }\r\n condition:\r\n ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\r\n (\r\n (1 of ($h*))\r\n )\r\n}\r\nrule BlackMatter\r\n{\r\n meta:\r\n author = \"Andrey Zhdanov\"\r\n company = \"Group-IB\"\r\n family = \"ransomware.blackmatter.windows\"\r\n description = \"BlackMatter ransomware Windows payload\"\r\n severity = 10\r\n score = 100\r\n strings:\r\n $h0 = { 80 C6 61 80 EE 61 C1 CA 0D 03 D0 }\r\n $h1 = { 02 F1 2A F1 B9 0D 00 00 00 D3 CA 03 D0 }\r\n $h2 = { 3C 2B 75 04 B0 78 EB 0E 3C 2F 75 04 B0 69 EB 06\r\n 3C 3D 75 02 B0 7A }\r\n $h3 = { 33 C0 40 40 8D 0C C5 01 00 00 00 83 7D 0? 00 75\r\n 04 F7 D8 EB 0? }\r\n condition:\r\n ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and\r\n (\r\n (1 of ($h*))\r\n )\r\n}\r\nrule BlackMatter_Linux\r\n{\r\n meta:\r\n author = \"Andrey Zhdanov\"\r\n company = \"Group-IB\"\r\n family = \"ransomware.blackmatter.linux\"\r\n description = \"BlackMatter ransomware Linux payload\"\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 17 of 18\n\nseverity = 10\r\n score = 100\r\n strings:\r\n $h0 = { 0F B6 10 84 D2 74 19 0F B6 34 0F 40 38 F2 74 10\r\n 48 83 C1 01 31 F2 48 83 F9 20 88 10 49 0F 44 C9\r\n 48 83 C0 01 4C 39 C0 75 D7 }\r\n $h1 = { 44 42 46 44 C7 4? [1-2] 30 35 35 43 C7 4? [1-2]\r\n 2D 39 43 46 C7 4? [1-2] 32 2D 34 42 C7 4? [1-2]\r\n 42 38 2D 39 C7 4? [1-2] 30 38 45 2D C7 4? [1-2]\r\n 36 44 41 32 C7 4? [1-2] 32 33 32 31 C7 4? [1-2]\r\n 42 46 31 37 }\r\n condition:\r\n (uint32(0) == 0x464C457F) and\r\n (\r\n (1 of ($h*)) or\r\n for any i in (0..elf.number_of_sections-2):\r\n (\r\n (elf.sections[i].name == \".app.version\") and\r\n (elf.sections[i+1].name == \".cfgETD\")\r\n )\r\n )\r\n}\r\nHow to protect your network against ransomware\r\nMake your remote access tools secure. Use multifactor authentication or at least set complex passwords and change\r\nthem regularly.\r\nEliminate vulnerabilities in publicly accessible apps as soon as possible, especially those that could allow attackers to\r\nbypass the external perimeter.\r\nImplement comprehensive email protection to detect and stem the most sophisticated threats. More\r\nMonitor what your contractors do in your network. Providing them with remote access should be strictly regulated.\r\nInstantly patch vulnerabilities on hosts on the internal network that attackers could leverage to escalate privileges or\r\npropagate across the network.\r\nMonitor the use of dual-use tools that could help attackers conduct network reconnaissance, obtain authentication\r\ndata, and much more.\r\nRestrict access to cloud storage. This will help keep attackers from exfiltrating data from the corporate network.\r\nMake sure all accounts have the least possible privileges on the systems. In case of an attack, this will make it\r\ndifficult for threat actors to move laterally across the network.\r\nUse separate accounts with multifactor authentication to access servers containing backups. Moreover, make sure that\r\nyou have offline copies.\r\nImplement a modern threat monitoring and blocking tool that will help contain and repel attacks at any stage of the\r\nkill chain. More\r\nFor more information about attacks using manually controlled ransomware, see the Group-IB report “Ransomware\r\nUncovered 2021/2022”.\r\nSource: https://blog.group-ib.com/blackmatter2\r\nhttps://blog.group-ib.com/blackmatter2\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/blackmatter2"
	],
	"report_names": [
		"blackmatter2"
	],
	"threat_actors": [],
	"ts_created_at": 1777949185,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/773df0669dde750242796eae846b900f83a9338b.pdf",
		"text": "https://archive.orkl.eu/773df0669dde750242796eae846b900f83a9338b.txt",
		"img": "https://archive.orkl.eu/773df0669dde750242796eae846b900f83a9338b.jpg"
	}
}