{
	"id": "769377e8-65d8-4c53-854e-11ca3cadf53f",
	"created_at": "2026-05-05T02:45:11.636797Z",
	"updated_at": "2026-05-05T02:46:36.936641Z",
	"deleted_at": null,
	"sha1_hash": "99316988ae008808c8939108510625b5ced226e8",
	"title": "BlackMatter Ransomware: Story behind DarkSide strain | Group-IB Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1772545,
	"plain_text": "BlackMatter Ransomware: Story behind DarkSide strain | Group-IB Blog\r\nArchived: 2026-05-05 02:42:35 UTC\r\nSummer 2021 brought hot weather, but also hot news from the world of ransomware. In late May, DoppelPaymer\r\nused a marketing trick and renamed its new ransomware Grief (Pay OR Grief). Moreover, in June-July the hacker\r\ngroups DarkSide and REvil disappeared from the radars after the notorious attacks against Colonial Pipeline and\r\nKaseya, respectively. By the end of July, a new player called BlackMatter had entered the ransomware market. Is\r\nBlackMatter really new on the scene, however?\r\nMeet BlackMatter\r\nAccording to information on the hackers’ website, the group has been active since July 28, 2021. Here’s what they\r\nsay about themselves:\r\nThe first victim of BlackMatter was an architecture company in the United States. When communicating\r\nwith the victim, the hackers were tough and uncompromising.\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 1 of 12\n\nThey increased the ransomware demand after the ultimatum time was over.\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 2 of 12\n\nWe got our hands on a sample of BlackMatter for Windows that was used to attack the architecture company. In\r\ngeneral, the BlackMatter group has developed ransomware not only for Windows but for Linux as well, which\r\nmade it possible for the threat actors to attack Linux-based servers, including ESXi.\r\nBlackMatter ransomware, the successor of DarkSide?\r\nAs soon as we started analyzing the BlackMatter sample, we experienced a feeling of déjà vu. We had already\r\nseen this: the conceptual approach to obfuscation, encrypted configuration data located in a special section, string\r\nencryption and obfuscation of API calls… Of course! REvil and DarkSide had used the same set of obfuscation\r\ntechniques. The techniques were implemented in a different manner, however.\r\nTo avoid unnecessary comparisons, we can go as far as to say that the differences were drastic. Despite their small\r\nsize, BlackMatter, REvil, and DarkSide programs are relatively functional and have very fast multithreaded file\r\nencryption mechanisms involving the I/O (input/output) completion port. Nothing extra — just business. It is\r\nobvious that the ransomware samples that we obtained were developed by highly qualified programmers\r\nwith an in-depth knowledge of system programming under Windows.\r\nFurther analysis of the sample showed that both BlackMatter and DarkSide use the Salsa20 algorithm to\r\nencrypt the victim’s files and the RSA-1024 public key for the keys generated for each file. A comparative\r\nanalysis of the encryption code implementation with the Darkside samples also revealed that they are very similar.\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 3 of 12\n\nIt should be pointed out that, in March, the people behind REvil started using a political agenda in their programs.\r\nFor example, REvil samples contained the following registry key: “SOFTWARE\\BlackLivesMatter“. The last\r\ndaring attacks performed by DarkSide and REvil infuriated “the deities”, and the hacker groups were punished by\r\nthe thunderers and “banished to Tartarus”. The question that interested everyone, from the cybersecurity\r\ncommunity to the media, was: “For how long?” and “And what will they bring with them when they return?”\r\nHere are the answers. A new project with the provocative name “BlackMatter”, which had a lot in common with\r\nits predecessors, appeared on the scene two weeks after REvil’s websites were shut down. The new malware\r\nalready has one victim, and it can be considered a starting point for BlackMatter.\r\nResults of the BlackMatter sample analysis\r\nIn the BlackMatter program analyzed, the developers indicated the malware version as 1.2. It is obvious that there\r\nhad been earlier versions that had been tested out. It should be noted that BlackMatter malware does not initiate\r\nchecks that identify whether the victim belongs to a CIS country, as had been the case with REvil and DarkSide. It\r\nis no wonder that the designers of BlackMatter do not want to be associated with Russian-speaking criminal\r\ngroups anymore.\r\nWhen BlackMatter is launched, it verifies the rights of the current user and, if necessary, attempts to bypass the\r\nUAC (User Account Control) by elevating privileges using the ICMLuaUtil COM interface. In addition, if the\r\ncorresponding flag is set in the configuration, when launched the malware attempts to authenticate using the\r\naccounts contained in the configuration data.\r\nDepending on the command line parameters, the program can operate in five modes. We identified the values of\r\nthe parameters by hash:\r\n-path \u003cPATH\u003e- encrypts the specified object (directory, file, network resource).\r\n-safe- registers in the RunOnce system registry autorun key and reboots in safe mode to encrypt files.\r\n-wall- creates a BMP image with a message about file encryption and sets it as the desktop wallpaper.\r\n\u003cPATH\u003e – encrypts the specified directory / file.\r\nWhen other (or no) parameters are set, the malware encrypts files on the hard drive and on other available network\r\nresources. After completing the encryption, the program creates a BMP file with a message about encryption and\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 4 of 12\n\nsets it as the desktop wallpaper.\r\nBefore starting the encryption, BlackMatter deletes the shadow copies of the directories using request WQL (WMI\r\nQuery Language).\r\nAs mentioned before, BlackMatter uses the most productive ways to implement the multithreaded mechanisms to\r\nencrypt files using the I/O (input/output) completion port. The program sets the highest priority for enumeration\r\nand encryption threads (THREAD_PRIORITY_HIGHEST). By default, files are encrypted only within the first\r\nmegabyte. The data block with an encrypted key is added to the end of the file. The encrypted file names are as\r\nfollows:\r\nFILENAME: original file name;\r\nVICTIM_ID: the victim’s ID based on the string contained in the parameter MachineGuid of the registry directory\r\nHKLM\\SOFTWARE\\Microsoft\\Cryptography.\r\nIn each processed directory, the ransomware creates text files containing a ransom demand:\r\nDirectory names skipped during encryption\r\nwindows, system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, program files\r\n(x86), program files, $windows.~bt, public, msocache, default, all users, tor browser, programdata, boot,\r\nconfig.msi, google, perflogs, appdata, windows.old\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 5 of 12\n\nNames of excluded files\r\ndesktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini,\r\nntuser.dat.log\r\nFile extensions that are not encrypted by BlackMatter\r\nthemepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb,\r\nwpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack,\r\nshs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu\r\nThe list of exclusions is contained in the BlackMatter configuration in the form of hashes of corresponding\r\nstrings. They are largely identical to the lists in DarkSide except for one exclusion. The content of the lists is\r\nclearly not a coincidence.\r\nConfiguration\r\nBlackMatter configuration data is contained in the section disguised as the resource “.rsrс“, yet there are no\r\nresources in the program.\r\nThe first 32-bit value (0FFCAA1EAh) in the section represents the seed for the pseudorandom number generator\r\n(random seed) used to encrypt the program data. The second 32-bit value represents the actual size of the\r\nconfiguration data that follows. Before encryption, the configuration data is pre-compressed using a compression\r\nalgorithm aPLib, which is very popular among ransomware developers. The algorithm has already been detected\r\nin ransomware belonging to DarkSide, DoppelPaymer, Clop, and other families.\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 6 of 12\n\nThe decrypted and unpacked configuration data uses a public key called RSA-1024, an identifier named\r\n“bot_company” by the designers, and the key AES-128 ECB to encrypt data sent to attackers.\r\nThis is followed by 8 logical flags, which define the ransomware configuration (the value set in the sample is\r\npresented in parentheses):\r\nEncrypting odd megabytes in large files starting with the first one (0);\r\nApplying authentication attempts using the following credentials contained in the configuration (1):\r\naheisler@hhcp.com:120Heisler\r\ndsmith@hhcp.com:Tesla2019\r\nadministrator@hhcp.com:iteam8**\r\nMounting volumes and encrypting files on them (1).\r\nEncrypting files on available network resources (1). While performing this operation, the program also\r\nenumerates Active Directory using LDAP requests.\r\nTerminating processes that contain the following substrings in their names (1):\r\nencsvc, thebat, mydesktopqos, xfssvccon, firefox, infopath,winword, steam, synctime, notepad,\r\nocomm, onenote, mspub, thunderbird, agntsvc, sql, excel, powerpnt, outlook, wordpad, dbeng50,\r\nisqlplussvc, sqbcoreservice, oracle, ocautoupds, dbsnmp, msaccess, tbirdconfig, ocssd,\r\nmydesktopservice, visio\r\nStopping and deleting services (1):\r\nmepocs, memtas, veeam, svc$, backup, sql, vss\r\nCreating and checking the mutex (1):\r\nGlobal\\\u003cMUTEX_NAME\u003e\r\nMUTEX_NAME: name of the mutex, formed based on the string from the registry parameter\r\nMachineGuid.\r\nTransferring information about compromised system and encryption results to threat actors (1). Encrypted\r\ninformation (AES-128 ECB) is transferred as HTTP POST requests to one of the following addresses:\r\nhttps://paymenthacks[.]com\r\nhttp://paymenthacks[.]com\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 7 of 12\n\nhttps://mojobiden[.]com\r\nhttp://mojobiden[.]com\r\nThe rest of the configuration data is contained as Base64 strings. The strings have a list of hashes of the bypassed\r\ndirectory/file names and file extensions, a list of substrings in the names of the terminated processes, names of\r\nservices to be removed, links to attackers’ resources used for transferring credentials, an encrypted list of\r\ncredentials used for authentication attempts, and an encrypted text with ransomware demands.\r\nObfuscation\r\nTo compare the strings in the program, the hashes are used to hide the used strings and complicate any attempts to\r\nanalyze the malware. It has already been mentioned that excluded names and directories, as well as file\r\nextensions, are verified by comparing the string hashes. Command line parameters are also identified by hash.\r\nThe program uses two functions for calculating the hash: for Unicode strings and ANSI strings, respectively.\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 8 of 12\n\nAs can be seen, the function for Unicode strings uses lowercase Latin letters to calculate the hash. The function\r\nfor ANSI string uses the same calculation algorithm, but it is case sensitive.\r\nThe functions are similar to those used in Metasploit/Cobalt Strike.\r\nThey are also used to obfuscate calls to API functions. A common hash on behalf of the DLL and the function\r\nname are used to identify API functions. To obtain the addresses of the API functions required for the program, the\r\nDLL (Dynamic Link Library) and the functions exported by them are enumerated via PEB (Process Environment\r\nBlock). If the hash matches the one specified in the program code, the address of the function found is retrieved\r\nand stored in the table. In such cases, the system does not save the function’s direct address, but the address to the\r\nallocated memory block with the following code allowing for additional obfuscation of the API function call:\r\nmov eax, \u003cENC_FUNC_ADDR\u003e\r\nxor eax, 22065FEDh\r\njmp eax\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 9 of 12\n\nENC_FUNC_ADDR is the result of modulo 2 addition (XOR) of the received API function address and the value\r\n22065FEDh. This way of calling a function masks its actual address and makes it more complicated to analyze the\r\nprogram.\r\nThe configuration data, strings and data in the data section are encrypted using a pseudo-random sequence of 32-\r\nbit values and XORing these values. The initial value of the generator (random seed) 0FFCAA1EAh is contained\r\nat the beginning of the configuration data.\r\nStrings and data generated in the stack, as well as the program version number and some hashes of strings in the\r\nprogram, are encrypted using a circular XOR operation with a 32-bit value 022065FEDh.\r\nWhile it operates, the program also uses an anti-debugging technique that hides threads from the debugger by\r\ncarrying out an undocumented call to the function NtSetInformationThread with the parameter\r\nThreadHideFromDebugger (11h).\r\nConclusion\r\nThe analysis revealed an obvious connection between BlackMatter and DarkSide and REvil samples,\r\nespecially DarkSide.\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 10 of 12\n\nAt the moment, we cannot be sure that the same development team is behind all three ransomware programs.\r\nHowever, it is clear that the vacant place did not remain unoccupied for long: DarkSide and REvil were\r\nreplaced by the no less sophisticated BlackMatter. According to a statement in Russian made by the hacker\r\ngroup’s representative as part of an interview for Recorded Future, the work on the ransomware took about six\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 11 of 12\n\nmonths, and the best solutions from the LockBit, REvil, and DarkSide programs were used to create the program.\r\nWe believe that the representative is hiding something. It is doubtful that the unrelated groups LockBit, REvil, and\r\nDarkSide would share their expensive source code with a competitor, while reverse engineering ransomware is\r\ntime-consuming and makes little sense.\r\nThe shadow economy created by those behind the ransomware is attracting more and more new players, while old\r\nones either change their mask or unite into new partnership programs and create spin-off projects. Today,\r\nransomware is the most profitable cybercriminal business. It thrives thanks to a mutually beneficial business\r\nmodel that brings together cybercriminals with various specializations. Failure to clearly understand the\r\nransomware business is the number one problem for any company, industry, or country.\r\nVictims often neglect information security and save money on building an effective defense against such\r\nthreats only to then pay out a lot more to criminals and in fact sponsor criminal activities.\r\nHow to protect your network against ransomware:\r\nMake your remote access tools secure. Use multifactor authentication or at least set complex passwords\r\nand change them regularly.\r\nEliminate vulnerabilities in publicly accessible apps as soon as possible, especially those that could allow\r\nattackers to bypass the external perimeter.\r\nImplement comprehensive email protection to detect and stem the most sophisticated threats. More\r\nMonitor what your contractors do in your network. Providing them with remote access should be strictly\r\nregulated.\r\nInstantly patch vulnerabilities on hosts on the internal network that attackers could leverage to escalate\r\nprivileges or propagate across the network.\r\nMonitor the use of dual-use tools that could help attackers conduct network reconnaissance, obtain\r\nauthentication data, and much more.\r\nRestrict access to cloud storage. This will help keep attackers from exfiltrating data from the corporate\r\nnetwork.\r\nMake sure all accounts have the least possible privileges on the systems. In case of an attack, this will\r\nmake it difficult for threat actors to move laterally across the network.\r\nUse separate accounts with multifactor authentication to access servers containing backups. Moreover,\r\nmake sure that you have offline copies.\r\nImplement a modern threat monitoring and blocking tool that will help contain and repel attacks at any\r\nstage of the kill chain. More\r\nFor more information about attacks using manually controlled ransomware, see the Group-IB report\r\n“Ransomware 2021/2022”:\r\nSource: https://blog.group-ib.com/blackmatter#\r\nhttps://blog.group-ib.com/blackmatter#\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/blackmatter#"
	],
	"report_names": [
		"blackmatter#"
	],
	"threat_actors": [],
	"ts_created_at": 1777949111,
	"ts_updated_at": 1777949196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99316988ae008808c8939108510625b5ced226e8.pdf",
		"text": "https://archive.orkl.eu/99316988ae008808c8939108510625b5ced226e8.txt",
		"img": "https://archive.orkl.eu/99316988ae008808c8939108510625b5ced226e8.jpg"
	}
}