If you hadn’t heard of BlackMatter before this week, you now likely know it as the group linked to a recent ransomware attack against Iowa-based farm services provider New Cooperative. Since it first emerged in July 2021, researchers have been trying to learn more about the new threat group.
After an affiliate of DarkSide ransomware-as-a-service (RaaS) group hit Colonial Pipeline in a major attack earlier this year that led to supply chain disruption and major headlines, the group confirmed it would shut down its operation. Its servers were seized, and cryptocurrency wallets drained. REvil, the group linked to the Kaseya attack, disappeared from the Internet soon after.
BlackMatter claims to fill the gap that DarkSide and REvil left behind and use the best tools and techniques of both groups, as well as LockBit 2.0, to do it. Researchers have been analyzing BlackMatter since it emerged, and an increasing number of reports have found connections between these groups.
“The coding style is remarkably similar to DarkSide and, in our opinion, the people behind it are either the same or have a very close relationship,” wrote McAfee’s Alexandre Mundo, senior malware analyst, and Marc Elias, security researcher, in a recent blog post on their findings.
Their analysis focuses on version 1.2 of BlackMatter, though they note version 1.9 has a compile time of Aug. 12, 2021, and the latest version, 2.0, has a compile date of Aug. 16, 2021. It’s “clear that the malware developers are actively improving the code and making detection and analysis harder,” they note.
When BlackMatter arrives on a victim’s machine and the files on the drives are encrypted, the ransomware sets a wallpaper very similar to the one DarkSide set, Sophos researcher Mark Loman notes in a blog post. Also similar to DarkSide, this is stored in the same folder on disk, with an identical file size of 2,818,366 bytes, image format, and image size, he points out.
Also like DarkSide and REvil, BlackMatter uses a runtime API that can impede static analysis, and strings are encrypted and revealed during runtime. “While these techniques are common across many recent malware, the way in which the runtime API and string decryption function in BlackMatter is very similar to the functionality seen in DarkSide and REvil,” Loman writes.
After impeding analysis and avoiding debuggers, the ransomware will escalate privileges. BlackMatter will check if the user that launched the process belongs to the local group of admins. If they do, the code will continue; if not, the process token will escalate privileges, targeting many and checking if it has system privileges. Similarly, REvil, LockBit 2.0, and DarkSide also attempted to elevate privileges when limited by User Account Control (UAC).
Emsisoft analysts report BlackMatter uses the same encryption routine as DarkSide, including a custom Salsa20 matrix that was unique to the latter, they note in a blog post. Since the group emerged, there have been 44 submissions to ID Ransomware that indicate BlackMatter attacks. Emsisoft estimates only 25% of victims submit data to ID Ransomware, meaning there may have been 176 BlackMatter incidents since the group began.
Lucrative, Large Targets
Researchers also say the group has published the stolen data from 10 organizations on its leak site. BlackMatter appears to target large and well-resourced organizations; its victims have been in the US, UK, Canada, Australia, India, Brazil, Chile, and Thailand. Operators say they will not target hospitals, critical infrastructure such as nuclear power plants and water treatment facilities, defense industry, government sector, nonprofits, and the oil and gas industry.