The BlackMatter ransomware

First seen in July 2021, BlackMatter is a Ransomware-as-a-Service (RaaS) tool that allows the ransomware‘s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. 

BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. 

BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.


What is BlackMatter?

BlackMatter is a new ransomware threat discovered at the end of July 2021. 

This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit, and DarkSide, despite also saying they are a new group of developers. 

The main goal of BlackMatter is to encrypt files in the infected computer and demand a ransom for decrypting them. 

As with previous ransomware, the operators steal files and private information from compromised servers and request an additional ransom to not publish on the internet.


BlackMatter is a ransomware to be afraid of

US federal security bodies have issued a joint warning aimed at cybersecurity experts, warning of the inevitability of a series of new ransomware attacks by the BlackMatter hacker group.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) are the three agencies involved in this joint consultation, which follows months of scrutiny and investigations into the hacker group.

Agencies declare the signs of upcoming activity strong enough that they have felt the need to tell companies to strengthen their cybersecurity defenses, especially those related to user passwords, security, and multi-factor authentication (MFA).

BlackMatter is the result of a grouping of members previously involved with DarkSide, the infamous team of hackers that closed operations in May of this year.

BlackMatter, like hacker group Desorden (which recently targeted Acer), aids attacks on major companies in supply chains, intensifying repercussions and chaos across multiple endpoints.

Since starting to operate under the new name, BlackMatter has already started with share-based organizations’ infrastructure, including two food and agriculture cooperatives, as well as companies such as Olympus.


BlackMatter attack features

By deploying a sample of BlackMatter’s ransomware in a secure investigative environment, the agencies emphasize the sophistication of its approach, which allows it to attack both Windows and Linux environments, as well as ESXi-based virtual machines, effectively covering all security systems.

This evidence also highlights the destructive approach taken by BlackMatter to ensure the maximum impact of its ransomware: rather than encrypting backup systems, BlackMatter erases or reformats all devices.


How to protect yourself

Suggestions for mitigating vulnerabilities include segmentation of networks (instead of the centralized network approach that has historically been favored for ease of use and control capabilities), as well as the use of network monitoring tools to identify the presence of the ransomware.

The aforementioned agencies have also provided tracking signatures for BlackMatter so that cybersecurity specialists can preemptively investigate managed systems.