{
	"id": "7fcc57bb-e062-4d91-a00e-31fcd6d6f1b6",
	"created_at": "2026-04-06T00:14:09.944346Z",
	"updated_at": "2026-04-10T03:20:48.922943Z",
	"deleted_at": null,
	"sha1_hash": "7faab8ae244dc35b240f3672e97509cd4900639d",
	"title": "Rapidly Evolving BlackMatter Ransomware Tactics – Cipher Tech Solutions, Inc.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 950801,
	"plain_text": "Rapidly Evolving BlackMatter Ransomware Tactics – Cipher Tech\r\nSolutions, Inc.\r\nArchived: 2026-04-05 21:41:47 UTC\r\nSeptember 8, 2021 | By Cipher Tech ACCE Team\r\nSummary \r\nCipher Tech analysts monitoring VirusTotal for BlackMatter ransomware activity discovered new\r\nvariants of BlackMatter malware self-reporting as versions 1.9 and 2.0. The new BlackMatter malware samples contain\r\nadditional functionality, changes to the configuration data, and version 2.0 additionally introduces changes to the\r\nconfiguration decryption algorithm. Cipher Tech analysts developed an ACCE module to automate the extraction\r\nof BlackMatter malware’s configuration data. Cipher Tech’s analysis reveals new variants of BlackMatter malware and a\r\nrefinement in BlackMatter’s tactics, techniques, and procedures. \r\nWho is BlackMatter \r\nBlackMatter is a ransomware affiliate program actively attacking victims that was first identified in July\r\n2021 by RecordedFuture and a security researcher pancak3. BlackMatter claims to derive from the now inactive REvil\r\nand DarkSide ransomware affiliate programs. Supporting BlackMatter’s claim, a joint code correlation effort\r\nbetween BleepingComputer and Emsisoft suggests that BlackMatter malware’s’ encryption routines contain strong\r\nsimilarities to DarkSide malware samples. \r\nBlackMatter claims to target companies in the US, UK, Canada, or Australia with between 500 – 15,000 hosts and revenues\r\nof at least 100K. BlackMatter claims they will not target the following industries and will provide free decryption services\r\nto BlackMatter victims in these industries. \r\nHospitals \r\nCritical infrastructure facilities \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 1 of 11\n\nOil and gas industry \r\nDefense industry \r\nNon-profit companies \r\nGovernment sector \r\nBackground \r\nCipher Tech analysts leveraged ACCE to discover, decrypt, and parse configuration data from BlackMatter ransomware\r\nsamples with reported version numbers of 1.9 and 2.0. Cipher Tech has not identified detailed public reporting for\r\nsamples with a version number above 1.2. This suggests either a fast development cycle or a refinement in TTPs with\r\nrespect to versioning. \r\nCipher Tech’s ACCE software enables the automated extraction of configuration data from supported malware samples.\r\nACCE indicated that parsing the 1.9 and 2.0 samples configuration data differed from the expected format of\r\nACCE’s existing BlackMatter configuration parser. Based on the change in configuration, Cipher\r\nAnalysts examined both samples to identify differences between BlackMatter’s 1.2 ransomware sample,\r\nBlackMatter’s 1.9 ransomware sample, and BlackMatter’s 2.0 ransomware sample. \r\nAnalysis of the BlackMatter 1.9 sample and its configuration data revealed that BlackMatter added additional capabilities to\r\nBlackMatter 1.9. BlackMatter 1.9 contains the following new functionality: \r\nPrint ransom notes to a locally installed computer \r\nCheck the hostname of a compromised system prior to installation \r\nAdditional verification checks to ensure BlackMatter does not encrypt their own ransom note \r\nProvide additional details and evidence of stolen information within the ransom note \r\nFurther analysis of the BlackMatter 2.0 sample, reported by @sisoma2 on Twitter, and its configuration data revealed that\r\nBlackMatter uses all the changes indicated for 1.9 above, and changed the decryption algorithm for the configuration data\r\nand some encrypted strings. BlackMatter 2.0 uses the following decryption methodology: \r\nA 64-bit seed/key for configuration and string decryption \r\nA modified MMIX-LCG pseudo-random number generator (PRNG) algorithm for generating the key used to decrypt\r\neach 8-byte block of the encrypted configuration data / string. \r\nA byte-swap algorithm for adjusting the generated MMIX-LCG state value into an XOR key for decrypting each 8-\r\nbyte block. \r\nSamples Compared \r\nThis post will demonstrate these changes in BlackMatter Versions 1.9 and 2.0 in comparison to a BlackMatter Version 1.2\r\nsample. For the purposes of the analysis presented below: \r\nVersion 1.2 reflects the BlackMatter Ransomware with MD5 598c53bfef81e489375f09792e487f1a, compiled 2021-\r\n07-23T20:51:18+00:00 \r\nVersion 1.9 reflects the BlackMatter Ransomware with MD5 f1c260c31b9d3f9ff54a142d508ec602, compiled 2021-\r\n08-12T22:22:01+00:00 \r\nVersion 2.0 reflects the BlackMatter Ransomware with MD5 38035325b785329e3f618b2a0b90eb75, compiled 2021-\r\n08-16T07:13:07+00:00 \r\nConfiguration Decryption \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 2 of 11\n\nThe encrypted configuration data structure  for 1.9 remains the same as previously documented by Group-IB, the data is\r\nstored in the .rsrc PE section, although there are no actual resources, the following Python construct documents the layout: \r\nFigure 1: Version 1.9 Encrypted Configuration Structure \r\nThe encrypted configuration data structure for 2.0, however, is modified to account for the change in decryption algorithm.\r\nThe following Python structure defines the change, where the seed is now 8 bytes instead of 4:\r\nFigure 2: Version 2.0 Encrypted Configuration Structure \r\nAlgorithm Changes \r\nThe decryption algorithm in Versions 1.2 and 1.9 used an XOR algorithm where the key for each 4-byte block was generated\r\nusing a modified Delphi/Pascal-LCG PRNG. The standard Delphi/Pascal-LCG masks each round to generate a floating\r\npoint number in the range 0-1, where the modified algorithm masks each round using the following, where “seed” is the\r\ninitial seed value reflected in Figure 1: \r\nFigure 3: Version 1.9 Delphi/Pascal-LCG Mask \r\nVersion 2.0 uses a modified MMIX-LCG algorithm for key generation, where the standard parameters are represented in\r\nFigure 4 and the BlackMatter parameters are represented in Figure 5. Additionally, in the standard MMIX-LCG the value is\r\nnot masked, and in BlackMatter the value is masked as seen in Figure 6, where “seed” is the initial seed value reflected in\r\nFigure 2. \r\nFigure 4: Standard MMIX-LCG Parameters \r\nFigure 5: BlackMatter MMIX-LCG Parameters \r\nFigure 6: BlackMatter MMIX-LCG Mask \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 3 of 11\n\nIn addition to the LCG-PRNG algorithm changes, 2.0 decrypts in 8-byte blocks (previously 4-byte blocks) and conducts a\r\nbyte-swap on the MMIX-LCG generated value each round before using it as an XOR key for the 8-byte block. For each\r\nMMIX-LCG generated value, the following byte-swap is performed: \r\nFigure 7: Version 2.0 Byte-Swap \r\nFollowing decryption, there are no additional changes in the procedure, and configuration data is aPLib decompressed in all\r\nversions (1.2, 1.9, and 2.0) and parsed.  \r\nConfiguration Parsing \r\nThe decrypted and decompressed configuration data yields several differences, as described below. There were no changes\r\nin the configuration data from 1.9 to 2.0, so all differences will reflect a comparison between 1.2 and 1.9. \r\nDifference 1: Configuration Flag – Print Ransom Note \r\nFigure 8: Version 1.2/1.9 Configuration Flag Parsing \r\nThe first noticeable difference is in the number of parsed flags. In Version 1.2 on the left, 8 flags are parsed, while in Version\r\n1.9 on the right, 9 flags are parsed. \r\nFigure 9: Version 1.2/1.9 Configuration Structure\r\nThe additional flag is described above for Version 1.9 on the right as print_ransom, which is noticeably absent from Version\r\n1.2 on the left. If the print_ransom field is set, during runtime the BlackMatter ransomware will invoke the method below,\r\nwhich calls the dynamically resolved API GetDefaultPrinterW (which is not resolved in Version 1.2) and if the default\r\nprinter is not a “PDF” printer, it will print the ransom note to that printer. \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 4 of 11\n\nFigure 10: Version 1.9 Print Ransom Note Function \r\nDifference 2: Configuration Parameter – Invalid Hostnames \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 5 of 11\n\nFigure 11: Version 1.9 Configuration Structure \r\nThe second configuration difference is in the inclusion of invalid hostname hashes, displayed in the structure above. The\r\nhostnames are leveraged in the “safe mode” function, as described by Sophos. The difference from Version 1.2 to Version\r\n1.9 is the inclusion of a function which checks if the compromised system is an invalid host. \r\nFigure 12: Version 1.2/1.9 Safe Install Function\r\nAs displayed in the screenshot below, the comparison is achieved by hashing and comparing the hostname to the list of\r\ninvalid hostname hashes, using the ROR-13-ADD hash algorithm (lowercase string, include null terminator). \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 6 of 11\n\nFigure 13: Version 1.9 Invalid Host Name Check \r\nThe Version 1.9 analyzed sample was not configured with any invalid hostname hashes, however, it can be surmised that the\r\nmalware authors are attempting to avoid running in Sandboxes or other Virtual Analysis Environments. \r\nDifference 3: Configuration Parameter – Ransom Note Hash \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 7 of 11\n\nFigure 14: Version 1.2/1.9 Configuration Structure \r\nThe final configuration difference is the inclusion of the ransom note hash, using the ROR-13-ADD hash algorithm (include\r\nnull terminator, use seed of -1). \r\nFigure 15: Version 1.2/1.9 Verify Not Ransom Note Function \r\nIn Version 1.2 on the left, we can observe that the BlackMatter ransomware will verify the input file is the same size as the\r\nransom note, and that the filename hash (ROR-13-ADD hash algorithm (lowercase string, include null terminator, use seed\r\nof -1)) is the same as the previously calculated value. On the right, Version 1.9 contains the same checks, but additionally\r\nhashes the file data to compare against the configured hash value. \r\nRansom notes have been observed in varying sizes, with some containing extra information in comparison to others, so the\r\npurpose of this change is unknown. \r\nDifference 4: Ransom Note \r\nThe ransom note obtained from Version 1.9 contains significantly more content than the one obtained from Version 1.2. The\r\nadditional content includes details of the type of information stolen from the victim and print.sc links which presumably\r\nprovide evidence that the information has been stolen. print.sc is a screenshot sharing service associated with\r\nthe LightShot screenshot application.  \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 8 of 11\n\nFigure 16: Version 1.9 Ransom Note \r\nFigure 17: Version 1.2 Ransom Note \r\nConclusion \r\nThe BlackMatter ransomware group is actively compromising victims and evolving their ransomware tooling and processes;\r\nnetwork defenders need to remain just as vigilant. Cipher Tech’s ACCE solution leverages more than a decade of defense\r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 9 of 11\n\nexpertise to provide a service that can support your incident response and malware analysis teams in automating the process\r\nof identifying, unpacking, deobfuscating, decrypting, and parsing supported adversarial tooling.  \r\nCipher Tech will continue to monitor the ransomware threat landscape and do our part to inform defenders on the threats to\r\ntheir networks and their customers’ data. \r\nIOCs \r\nHashes (MD5) \r\nVersion 1.2 \r\n18b8ab6af00f387f98b6d7f20253b87b \r\n598c53bfef81e489375f09792e487f1a \r\n639bb7abbd9bc6a9c275d0bf9555b610 \r\n6de1ba98baeda1f31e128f982e3878eb \r\n9c26a90a84078a406babb3543d79b8b7 \r\na55bc3368a10ca5a92c1c9ecae97ced9 \r\nad260da314d2f8f3f1531cc5779cbba9 \r\nba375d0625001102fc1f2ccb6f582d91 \r\nd0512f2063cbd79fb0f770817cc81ab3 \r\ne1f8b95beb02cd39e55cd8b31419b10f \r\ne6b0276bc3f541d8ff1ebb1b59c8bd29 \r\ned74126d9234ac9c1dd21483e82a0dff \r\nVersion 1.6 \r\n01aef1c692a50a9d0e0369a58b1516ff \r\n10aa058a3ac49e016cad7987b8e09886 \r\n1dd464cbb3fbd6881eef3f05b8b1fbd5 \r\n3317daace715dc332622d883091cf68b \r\nVersion 1.9 \r\nf1c260c31b9d3f9ff54a142d508ec602 \r\nVersion 2.0\r\n38035325b785329e3f618b2a0b90eb75 \r\n7b125a148ce0e0c126b95395dbf02b0e \r\nead753c057b5c3888ed2484013400b82 \r\n38035325b785329e3f618b2a0b90eb75 \r\nC2 URLs\r\nhttp://mojobiden.com \r\nhttp://nowautomation.com \r\nhttp://paymenthacks.com \r\nTOR Ransom URLs \r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 10 of 11\n\nhttp://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5 \r\nhttp://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OR7OTLBK8D5UVHZ0Q \r\nhttp://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/OYPF561W4U8HVA0NLVCKJCZB \r\nhttp://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV \r\nhttp://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/EBVCVJNCPM6A3NKJ \r\nhttp://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/GDBJS76DH3D4IKQD2QO7R \r\nhttp://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/O3KTUJZRE6CB4Q1OBR \r\nTOR Blog URLs \r\nhttp://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/xscSyb9oue/b2ec5065190ebe423b201a9f2af97bb\r\nSource: https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nhttps://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/"
	],
	"report_names": [
		"rapidly-evolving-blackmatter-ransomware-tactics"
	],
	"threat_actors": [],
	"ts_created_at": 1775434449,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7faab8ae244dc35b240f3672e97509cd4900639d.pdf",
		"text": "https://archive.orkl.eu/7faab8ae244dc35b240f3672e97509cd4900639d.txt",
		"img": "https://archive.orkl.eu/7faab8ae244dc35b240f3672e97509cd4900639d.jpg"
	}
}