{
	"id": "4293d713-bad0-4300-a286-84cc2419fcef",
	"created_at": "2026-04-06T00:18:17.300776Z",
	"updated_at": "2026-04-10T03:21:00.239163Z",
	"deleted_at": null,
	"sha1_hash": "f016faa7e25f1c72178bc503c9ab5b0b92c4cad0",
	"title": "BlackMatter Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129413,
	"plain_text": "BlackMatter Ransomware | CISA\r\nPublished: 2021-10-18 · Archived: 2026-04-05 14:58:29 UTC\r\nSummary\r\nActions You Can Take Now to Protect Against BlackMatter Ransomware\r\n• Implement and enforce backup and restoration policies and procedures.\r\n• Use strong, unique passwords.\r\n• Use multi-factor authentication.\r\n• Implement network segmentation and traversal monitoring.\r\nNote: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®)\r\nframework, version 9. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThis joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency\r\n(CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide\r\ninformation on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S.\r\ncritical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.\r\nThis advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a\r\nsample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting.\r\nUsing embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access\r\nProtocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all\r\nhosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.\r\nRansomware attacks against critical infrastructure entities could directly affect consumer access to critical\r\ninfrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure\r\norganizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These\r\nmitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nOverview\r\nFirst seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows  the ransomware's\r\ndevelopers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims.\r\nBlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 1 of 7\n\nBlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments\r\nranging from $80,000 to $15,000,000 in Bitcoin and Monero.\r\nTactics, Techniques, and Procedures\r\nThis advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter\r\nransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256:\r\n706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d . (Note: click here to see the sample’s\r\npage on VirusTotal.)\r\nThe BlackMatter variant uses embedded admin or user credentials that were previously compromised and\r\nNtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services,\r\nrespectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts\r\nin the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate\r\neach host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB\r\nprotocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including\r\nADMIN$ , C$ , SYSVOL , and NETLOGON .\r\nBlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual\r\nmachines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and\r\nappliances.\r\nTable 1 maps BlackMatter’s capabilities to the MITRE ATT\u0026CK for Enterprise framework, based on the analyzed\r\nvariant and trusted third-party reporting.\r\nTable 1: Black Matter Actors and Ransomware TTPs\r\nTactic Technique  Procedure \r\nPersistence\r\n[TA0003 ]\r\nExternal Remote\r\nServices [T1133 ]\r\nBlackMatter leverages legitimate remote monitoring and\r\nmanagement software and remote desktop software, often by\r\nsetting up trial accounts, to maintain persistence on victim\r\nnetworks. \r\nCredential\r\nAccess\r\n[TA0006 ]\r\nOS Credential Dumping:\r\nLSASS Memory\r\n[T1003.001 ]\r\nBlackMatter harvests credentials from Local Security\r\nAuthority Subsystem Service (LSASS) memory using\r\nprocmon.\r\nDiscovery\r\n[TA0007 ]\r\nRemote System\r\nDiscovery [T1018 ]\r\nBlackMatter leverages LDAP and SMB protocol to discover\r\nall hosts in the AD.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 2 of 7\n\nTactic Technique  Procedure \r\nProcess Discovery\r\n[T1057 ]\r\nBlackMatter uses NtQuerySystemInformation to enumerate\r\nrunning processes.\r\nSystem Service\r\nDiscovery [T1007 ]\r\nBlackMatter uses EnumServicesStatusExW to enumerate\r\nrunning services on the network.\r\nLateral\r\nMovement\r\n[TA0008 ]\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares [T1021.002 ]\r\nBlackMatter uses srvsvc.NetShareEnumAll MSRPC\r\nfunction to enumerate and SMB to connect to all discovered\r\nshares, including ADMIN$ , C$ , SYSVOL , and NETLOGON .\r\nExfiltration\r\n[TA0010 ]\r\nExfiltration Over Web\r\nService [T1567 ]\r\nBlackMatter attempts to exfiltrate data for extortion.\r\nImpact\r\n[TA0040 ]\r\nData Encrypted for\r\nImpact [T1486 ]\r\nBlackMatter remotely encrypts shares via SMB protocol and\r\ndrops a ransomware note in each directory.\r\nDisk Wipe [T1561 ] BlackMatter may wipe backup systems.\r\nDetection Signatures\r\nThe following Snort signatures may be used for detecting network activity associated with BlackMatter activity.\r\nIntrusion Detection System Rule:\r\nalert tcp any any -\u003e any 445 ( msg:\"BlackMatter remote encryption attempt\"; content:\"|01 00 00 00 00\r\n00 05 00 01 00|\"; content:\"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|\"; distance:100;\r\ndetection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )\r\nInline Intrusion Prevention System Rule:\r\nalert tcp any any -\u003e any 445 ( msg:\"BlackMatter remote encryption attempt\"; content:\"|01 00 00 00 00\r\n00 05 00 01 00|\"; content:\"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|\"; distance:100;\r\npriority:1; sid:10000001; )\r\nrate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout\r\n86400\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 3 of 7\n\nMitigations\r\nCISA, the FBI, and NSA urge network defenders, especially for critical infrastructure organizations, to apply the\r\nfollowing mitigations to reduce the risk of compromise by BlackMatter ransomware:\r\nImplement Detection Signatures\r\nImplement the detection signatures identified above. These signatures will identify and block placement\r\nof the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from\r\nthe encryptor system for 24 hours. \r\nUse Strong Passwords\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin\r\naccounts.) to have strong, unique passwords. Passwords should not be reused across multiple accounts\r\nor stored on the system where an adversary may have access. Note: devices with local administrative\r\naccounts should implement a password policy that requires strong, unique passwords for each individual\r\nadministrative account. \r\nImplement Multi-Factor Authentication\r\nRequire multi-factor authentication for all services to the extent possible, particularly for webmail,\r\nvirtual private networks, and accounts that access critical systems.\r\nPatch and Update Systems\r\nKeep all operating systems and software up to date. Timely patching is one of the most efficient and\r\ncost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nLimit Access to Resources over the Network\r\nRemove unnecessary access to administrative shares, especially ADMIN$ and C$ . If ADMIN$ and C$\r\nare deemed operationally necessary, restrict privileges to only the necessary service or user accounts and\r\nperform continuous monitoring for anomalous activity.\r\nUse a host-based firewall to only allow connections to administrative shares via SMB from a limited set\r\nof administrator machines. \r\nImplement Network Segmentation and Traversal Monitoring\r\nAdversaries use system and network discovery techniques for network and system visibility and mapping. To limit\r\nan adversary from learning the organization’s enterprise environment, limit common system and network\r\ndiscovery techniques by taking the following actions.\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 4 of 7\n\nrestricting adversary lateral movement. \r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool\r\nthat logs and reports all network traffic, including lateral movement activity on a network. Endpoint\r\ndetection and response (EDR) tools are particularly useful for detecting lateral connections as they have\r\ninsight into common and uncommon network connections for each host. \r\nUse Admin Disabling Tools to Support Identity and Privileged Access Management\r\nIf BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected.\r\nGiven that there has been an observed increase in ransomware attacks during non-business hours, especially\r\nholidays and weekends, CISA, the FBI, and NSA recommend organizations:\r\nImplement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the\r\nprinciple of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy\r\nis set in place to automatically disable admin accounts at the AD level when the account is not in direct\r\nneed. When the account is needed, individual users submit their requests through an automated process that\r\nenables access to a system, but only for a set timeframe to support task completion. \r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral\r\nmovement often depend on software utilities that run from the command line. If threat actors are not able to\r\nrun these tools, they will have difficulty escalating privileges and/or moving laterally. \r\nImplement and Enforce Backup and Restoration Policies and Procedures\r\nMaintain offline backups of data, and regularly maintain backup and restoration. This practice will\r\nensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom\r\ndemand.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the\r\nentire organization’s data infrastructure. \r\nCISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to\r\nreduce the risk of credential compromise.\r\nDisable the storage of clear text passwords in LSASS memory.\r\nConsider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest\r\nAuthentication.\r\nImplement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows\r\nDefender Credential Guard for more information). For Windows Server 2012R2, enable Protected\r\nProcess Light for Local Security Authority (LSA). \r\nMinimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as\r\n“Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed\r\ncredentials that attackers attempt to crack.\r\nSet a strong password policy for service accounts.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 5 of 7\n\nAudit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure\r\nthe events are monitored for anomalous activity.  \r\nRefer to the CISA-Multi-State information and Sharing Center (MS-ISAC) Joint Ransomware Guide for general\r\nmitigations to prepare for and reduce the risk of compromise by ransomware attacks. \r\nNote: critical infrastructure organizations with industrial control systems/operational technology networks should\r\nreview joint CISA-FBI Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for\r\nPreventing Business Disruption from Ransomware Attacks for more mitigations, including mitigations to reduce\r\nthe risk of severe business or functional degradation should their entity fall victim to a ransomware attack. \r\nResponding to Ransomware Attacks\r\nIf a ransomware incident occurs at your organization, CISA, the FBI, and NSA recommend:\r\nFollowing the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing\r\nand Analysis Center (MS-ISAC) Joint Ransomware Guide.\r\nScanning backups. If possible, scan backup data with an antivirus program to check that it is free of\r\nmalware.\r\nReporting incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report,\r\nor the U.S. Secret Service at a U.S. Secret Service Field Office. \r\nApplying incident response best practices found in the joint Advisory, Technical Approaches to\r\nUncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of\r\nAustralia, Canada, New Zealand, and the United Kingdom.\r\nNote: CISA, the FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may\r\nembolden adversaries to target additional organizations, encourage other criminal actors to engage in the\r\ndistribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a\r\nvictim’s files will be recovered.\r\nResources\r\nFor more information and resources on protecting against and responding to ransomware, refer to\r\nStopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and\r\nalerts.\r\nCISA’s Ransomware Readiness Assessment (RRA) is a no-cost self-assessment based on a tiered set of\r\npractices to help organizations better assess how well they are equipped to defend and recover from a\r\nransomware incident. \r\nCISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess,\r\nidentify, and reduce their exposure to threats, including ransomware. By requesting these services,\r\norganizations of any size could find ways to reduce their risk and mitigate attack vectors.\r\nContact Information\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 6 of 7\n\nVictims of ransomware should report it immediately to CISA at us-cert.cisa.gov/report, a local FBI Field Office,\r\nor U.S. Secret Service Field Office. When available, please include the following information regarding the\r\nincident: date, time, and location of the incident; type of activity; number of people affected; type of equipment\r\nused for the activity; the name of the submitting company or organization; and a designated point of contact. For\r\nNSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center\r\nat 410-854-4200 or Cybersecurity_Requests@nsa.gov .\r\nThis document was developed by CISA, the FBI, and NSA in furtherance of their respective cybersecurity\r\nmissions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.\r\nNote: the information you have accessed is being provided “as is” for informational purposes only. CISA, the FBI,\r\nand NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to\r\nspecific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nnot constitute or imply their endorsement, recommendation, or favoring by CISA, the FBI, or NSA.\r\nRevisions\r\nOctober 18, 2021: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-291a\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa21-291a"
	],
	"report_names": [
		"aa21-291a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434697,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f016faa7e25f1c72178bc503c9ab5b0b92c4cad0.pdf",
		"text": "https://archive.orkl.eu/f016faa7e25f1c72178bc503c9ab5b0b92c4cad0.txt",
		"img": "https://archive.orkl.eu/f016faa7e25f1c72178bc503c9ab5b0b92c4cad0.jpg"
	}
}