{
	"id": "56aa50a6-b42b-47b5-afc5-dc396bfa3f77",
	"created_at": "2026-04-06T00:17:48.321906Z",
	"updated_at": "2026-04-10T13:12:41.13993Z",
	"deleted_at": null,
	"sha1_hash": "9c17910abe23fb802493924e98f8919749051b60",
	"title": "Analyzing Exmatter: A Ransomware Data Exfiltration Tool",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 281648,
	"plain_text": "Analyzing Exmatter: A Ransomware Data Exfiltration Tool\r\nPublished: 2022-03-22 · Archived: 2026-04-05 13:44:32 UTC\r\nHaving conducted more than 3,200 incident response engagements in 2021, Kroll’s Threat Intelligence team now\r\ntracks more than 200 ransomware threat actor groups. Kroll’s global Incident Response teams are very familiar\r\nwith actions traditionally associated with a network intrusion, from initial access to lateral movement to privilege\r\nescalation to data exfiltration—and in the case of financially motivated actors, ransomware deployment. In this\r\nblog post, we will examine one of those tools, Exmatter. \r\nIn Q4 2021, Kroll analyzed multiple samples of a custom exfiltration tool called Exmatter. It’s the third\r\nexfiltration toolset utilized by ransomware operators observed in the wild, after the release of Ryuk Infostealer in\r\nJanuary 2020 and StealBit, which is associated with the LockBit 2.0 operator. Both the Ryuk Infostealer and\r\nStealbit are capable of programmatic identification of files of interest, followed by automatic exfiltration of data.\r\nRansomware groups in particular are known to harness custom data exfiltration tools to accelerate the information\r\ntheft. Although Exmatter was originally associated with the now-defunct BlackMatter Ransomware-as-a-Service\r\n(RaaS) operation, Kroll has since observed variants of this tool being used by other RaaS groups.  \r\nThe use of customized tools like Exmatter puts greater pressure on organizations to use effective endpoint\r\ndetection and response capabilities along with cyber security best practices. \r\nAccelerating the Exfiltration Process\r\nExmatter is designed to steal a range of user files, databases and compressed files (including email and zip archive\r\nfiles) from multiple directories and then upload them to a preconfigured server via Secure File Transfer Protocol\r\n(SFTP). This tool has been observed shortly before ransomware deployment on the victim's network. Interestingly,\r\nKroll has identified attackers targeting specific file extensions indicative of web and application source code,\r\nshortcuts for Remote Desktop, and CAD/GIS files in their data theft efforts. This process of reducing data sources\r\nto the specific types of business-critical files is designed to speed up the exfiltration process by collecting the data\r\nthat attackers believe will be of the greatest relevance and/or sensitivity during a ransom negotiation. Kroll\r\nassesses that it may increase pressure on an organization to make a ransom settlement when that organization is\r\npresented with a curated file tree of sensitive files. The expeditious nature of this custom file collection means the\r\nactivity is more likely to complete successfully while also evading detection by traditional cyber security\r\nmechanisms.\r\nKroll’s analysis identified that, upon enumerating the logical drives on a victim's computer, Exmatter iterates\r\nthrough all its folders but ignores certain directories, including directories inside \"C:\\ProgramData\\\" (see Table 1).\r\nKroll assesses that these operating system directories generally contain files of low value when viewed from the\r\nperspective of compelling a ransomware payment. Upon identification of PDFs, Microsoft Office, OpenOffice and\r\nStarOffice files (including documents, spreadsheets and presentation files, along with other file extensions as\r\ndescribed in Table 2), a queue is established to prioritize the most recently modified files ahead of older files.\r\nKroll has also identified another limiting factor: after identifying file extensions of interest, Exmatter only\r\nexfiltrates files larger than 1,024 bytes.\r\nhttps://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool\r\nPage 1 of 4\n\nhttps://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool\r\nPage 2 of 4\n\nAnti-Forensic Cleanup \u0026 Capability Enhancements\r\nAs soon as all the selected data has been exfiltrated from the victim’s endpoint, Exmatter leverages anti-forensic\r\ntechniques, removing any traces of itself from the device by invoking PowerShell to overwrite the first 65,536\r\nbytes of the malicious file and subsequently delete itself. Kroll’s incident responders have observed multiple\r\nvariants of the tool adding updates to the inclusion and exclusion list and implementing the use of a WebDav\r\nclient as a secondary method of exfiltrating data should the primary use of SFTP fail. This suggests that attackers\r\nare continuing to evolve their tools to overcome defender obstacles while stealing valuable data in the shortest\r\npossible time.\r\nMore recently, Kroll’s incident response investigators have observed a new variant of the Exmatter tool being used\r\nfor exfiltration prior to Conti ransomware deployment. This variant includes a date range filter for the targeted\r\ndata, indicating it may still be in development even after the alleged shutdown of the BlackMatter actor group in\r\nNovember 2021.\r\nExmatter Analysis in Action\r\nIn an analysis of Exmatter, Kroll’s Malware Analysis and Reverse Engineering team confirmed the sample was a\r\n.NET Windows executable file that had been compiled with Themida, an anti-reverse engineering software\r\nprotection utility. Through static and dynamic analysis, Kroll successfully extracted the unpacked executable\r\nembedded within the file. \r\nhttps://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool\r\nPage 3 of 4\n\nKroll found that any file matching the conditions in Tables 1 and 2 would be sent via SFTP to a remote server over\r\nTCP port 22 using a hardcoded username and password within the file. The team identified additional embedded\r\nconfiguration data, including a failover WebDav option should SFTP fail, as well as a SOCKS5 proxy\r\nconfiguration with the localhost IP address.\r\nKroll also identified that the malicious file would accept command-line arguments as well. If the string “nownd”\r\nor “-nownd” was passed to the file on execution, the file would attempt to hide its own window in order to avoid\r\nvisual detection by any end user on the system. \r\nRecommendations for Detecting Reconnaissance and Lateral Movement\r\nDuring the early stages of a network intrusion, threat actors frequently utilize tools with legitimate purposes to\r\nsurreptitiously engage in malicious activities. Tools such as ADFind and Advanced IP Scanner, for example, are\r\nwidely used for network and Active Directory administration but can also be abused to aid in reconnaissance.\r\nWhen able to, attackers also use legitimately signed binaries, such as those belonging in the Windows Sysinternals\r\nsuite, and leverage their capabilities to carry out malicious activities ranging from credential dumping\r\n(ProcDump) to widespread malware and ransomware deployment (PsExec). \r\nDue to their legitimate purposes, these tools often do not raise suspicion when used in enterprise networks and\r\nthus provide threat actors with the ability to bypass traditional security apparatuses, including antivirus software.\r\nKroll has also observed threat actors tampering with Group Policy Objects (GPO) to weaken the technical security\r\nposture of an organization. Once the initial stages of an attack are successfully carried out using such tools and\r\nattackers have identified that they’ve not yet been detected, threat actors may then introduce custom and unique\r\ntooling to focus on and accomplish their actions on an objective, such as data exfiltration. Kroll recommends the\r\nfollowing strategies for detecting reconnaissance and lateral movement:\r\nEmploy Next-Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR) on all devices\r\nwithin your environment to enable early detection and response to these threats. Based upon available\r\norganizational staffing, outsourcing the monitoring of your EDR solution may be a prudent approach to\r\nrisk management given the 24x7 nature of the current cyber risk environment.\r\nImplement cyber security best practices, including MFA, patching and least privilege. A focus on reliable\r\noffline tested immutable backups is also important; you can find more here.\r\nMap your cyber security posture to a framework. The CIS Top 18 is a great solution for many\r\norganizations. \r\nGartner’s Market Guide for Digital Forensics and Incident Response Services highlights the growing need for\r\nmalware analysis as part of effective incident response. If organizations are unable to undertake this type of\r\nanalysis themselves, they can reach out to Kroll’s security and cyber risk experts at any time.\r\nSource: https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool\r\nhttps://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool"
	],
	"report_names": [
		"analyzing-exmatter-ransomware-data-exfiltration-tool"
	],
	"threat_actors": [],
	"ts_created_at": 1775434668,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c17910abe23fb802493924e98f8919749051b60.pdf",
		"text": "https://archive.orkl.eu/9c17910abe23fb802493924e98f8919749051b60.txt",
		"img": "https://archive.orkl.eu/9c17910abe23fb802493924e98f8919749051b60.jpg"
	}
}