Herjavec Group BlackMatter Ransomware Profile
September 24, 2021
BlackMatter Ransomware is a breakout ransomware group that became operational shortly after the shutdown of the REvil Ransomware and DarkSide Ransomware operations in late Summer 2021. Like DarkSide, this group has been very vocal and expressive with the press about their operation. Furthermore, they have openly claimed that BlackMatter is the product of reproducing the “best parts” of previous ransomware operations[1]. Black Matter has publicly claimed that they do not spend much time on “VPN and other time-consuming types of initial access” [1] suggesting this group employs "Initial Access Brokers" (IABs). IABs are financially motivated individuals or groups who provide ransomware operators with access to a silently compromised network in exchange for receiving a small fee or direct employment from ransomware operators [2].
Overview
Analysis of BlackMatter ransomware samples demonstrates that the group has used several features from other ransomware operations such as multithreaded encryption (Conti) and the abuse of the Windows diagnostic environment “Safe Mode”, to avoid endpoint protection (REvil), and only partially encrypting files to speed up the encryption process (LockBit 2.0) [3]–[5] . This group explicitly alleges that they do not attack hospitals, powerplants, water treatment facilities, pipelines and oil refineries, non-profit organizations, and the public sector, stating "if your company is on that list, you can ask us for [a] free decryption [key]". It is suspected that this is a measure taken by threat actors to avoid attracting the attention of law enforcement in the nation-states in which their victims reside.
Targeting
Recent targets by BlackMatter have been located across the globe and across markedly different industry verticals. The diverse target selection suggests that BlackMatter may be focused on “attacks of opportunity”, rather than a specific sector or demographic. Recent targets include:
Name | Descirption | Industry | Country |
---|---|---|---|
Olympus | A manufacturer of optics, endoscopy, and reprography products. | Health Care Equipment | Japan |
Marketron | A digital and broadcast marketing firm and provider of cloud-based marketing software solutions | Marketing | America |
La Martiniquaise | France’s second-largest spirit and alcoholic beverage company | Food, Beverage, and Tobacco | France |
New Coo-operative Inc. | A member owned agricultural cooperative. The Company offers feed, fertilizers, crop protection, seed resources along with grain marketing, storage, and soil mapping services | Agricultural Products | America |
Le Monastery | A resident and apartment provider for seniors | Real Estate (Diversified Financials) | Canada |
Citrocasa GmbH | A machining manufacturer. | Manufacturing | Austria |
Pramer Baustoffe GmbH | A construction material and tool supplier | Manufacturing | Austria |
Actief Jobmade GmbH | A job-finding web service. | Employment Services | Austria |
Equity Transition | A transportation and logistics company | Transportation | America |
Marcus & Millichap | A publicly traded real estate investment firm | Real Estate (Diversified Financials) | America |
Solar BR Coca-Cola | A partnership venture between The Coca-Cola Company and two other large domestic manufacturers and distributors of beer, soft drinks, juices, energy drinks and dairy products. | Food Beverage & Tobacco | Brazil |
Middleton Reutlinger | A legal services firm | Legal Services | America |
ATT&CK Lifecycle
Malware analysis of recent BlackMatter samples demonstrate the group has used the following TTPs during their attacks [6], [7]:
TID | Technique Description | Observable Procedure |
---|---|---|
T1070 | Valid Accounts | BlackMatter uses valid accounts to logon to the victim network. |
T1106 | Native API | BlackMatter uses native API functions in all code. |
T1134 | Access Token Manipulation | BlackMatter accesses and manipulates different process tokens. |
T1547 | Boot or Logon Autostart Execution | BlackMatter installs persistence in the registry. |
T1562.001 | Disable or Modify Tools | BlackMatter stops services related to endpoint security software. |
T1497.001 | System Checks | BlackMatter tries to detect debuggers, checking the memory reserved in the heap. |
T1222.001 | Windows File and Directory Permissions Modification | BlackMatter executes the command icacls “ |
T1112 | Modify Registry | BlackMatter changes registry keys and values and sets new ones. |
T1102 | Query Registry | BlackMatter queries the registry for information. |
T1018 | Remote System Discovery | BlackMatter enumerates remote machines in the domain. |
T1135 | Network Share Discovery | BlackMatter will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\ |
T1082 | System Information Discovery | BlackMatter uses functions to retrieve information about the target system. |
T1592 | Gather Victim Host Information | BlackMatter retrieves information about the user and machine. |
T1083 | File and Directory Discovery | BlackMatter uses native functions to enumerate files and directories searching for targets to encrypt. |
T1057 | Process Discovery | BlackMatter enumerates all processes to try to discover security programs and terminate them. |
T1489 | Service Stop | BlackMatter stops services. |
T1486 | Data Encrypted for Impact | BlackMatter encrypts files using a custom Salsa20 algorithm and RSA. |
Recent Artifacts
Artifact | Type |
---|---|
8f1b0affffb2f2f58b477515d1ce54f4daa40a761d828041603d5536c2d53539 | SHA256 |
6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502 | SHA256 |
520bd9ed608c668810971dbd51184c6a29819674280b018dc4027bc38fc42e57 | SHA256 |
86c84c07e27cc8aba129e1cf51215b65c445f178b94f2e8c4c10e6bc110daa94 | SHA256 |
2c323453e959257c7aa86dc180bb3aaaa5c5ec06fa4e72b632d9e4b817052009 | SHA256 |
1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2 | SHA256 |
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 | SHA256 |
6a9233224a56d344d9e63aa388ba99fc41684cbafd0fa176838551ffbe30e77c | SHA256 |
6d4712df42ad0982041ef0e2e109ab5718b43830f2966bd9207a7fac3af883db | SHA256 |
2466fca0e29b06c78ffa8a44193fb58c30e6bec4e54bbef8e6622349b95cce4c | SHA256 |
2e50eb85f6e271001e69c5733af95c34728893145766066c5ff8708dcc0e43b2 | SHA256 |
Mojobiden[.]com | Domain |
Nowautomation[.]com | Domain |
Paymenthacks[.]com | Domain |
blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd[.]onion | Domain |
Blackmattersusa[.]com | Domain |
Blackmatter[.]online | Domain |
Herjavec Group's Defensive Recommendations for Observed Tactics Techniques and Procedures
- Keep externally facing devices up to date with security patches.
- Enable multifactor authentication (MFA) for all user accounts if able.
- Educate users on strong passwords and the re-use of old passwords.
- Consider network segmentation and monitoring or restricting traffic protocols associated with lateral movement, such as SMB if able.
- Employ the principle of least privilege to operating systems and applications based on user roles and duties.
- Develop or employ the usage of third-party relationships and dark-web monitoring services to proactively handle credential leaks associated with valid third-party accounts.
- Perform frequent backups and recovery tasks based on system criticality (daily, weekly, or monthly), and keep backups offline and encrypted.
- Utilize the Windows API which may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll).
- Monitor for DLL loads, especially abnormal/unusual or potentially malicious processes. This may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity [8].
References
[1] D. Smilyanets, “An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil,” The Record by Recorded Future, Aug. 02, 2021. Accessed: Aug. 23, 2021. [Online]. Available: https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
[2] V. Kivilevich, “All Access Pass: Five Trends with Initial Access Brokers,” Kela, Aug. 2021. Accessed: Aug. 18, 2021. [Online]. Available: https://ke-la.com/all-access-pass-five-trends-with-initial-access-brokers/
[3] B. Baskin, “TAU Threat Discovery: Conti Ransomware,” VMware Carbon Black, Jul. 08, 2020. https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/ (accessed Dec. 01, 2020).
[4] M. Loman, “BlackMatter ransomware emerges from the shadow of DarkSide,” Sophos News, Aug. 09, 2021. https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/ (accessed Sep. 23, 2021).
[5] J. P. Bernardo, J. Chong, N. Madayag, M. Marti, C. Tomboc, and S. Torre, “LockBit Resurfaces With Version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK,” Trend Micro, Aug. 2021. Accessed: Aug. 18, 2021. [Online]. Available: https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html
[6] “BlackMatter Ransomware Analysis; The Dark Side Returns | McAfee Blogs.” https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/ (accessed Sep. 23, 2021).
[7] “706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d | ANY.RUN - Free Malware Sandbox Online.” https://any.run/report/706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d/62248aef-7bc6-499e-9f06-ad12c83f8002 (accessed Sep. 23, 2021).
[8] “Native API, Technique T1106 - Enterprise | MITRE ATT&CK®.” https://attack.mitre.org/techniques/T1106/ (accessed Sep. 23, 2021).