Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


BlackMatter Ransomware: In-Depth Analysis & Recommendations

Threat Research

threat modeling illustration

Executive Summary

CISA has issued a security bulletin regarding the BlackMatter ‘big game hunter’ ransomware group following a sharp increase in cases targeting U.S. businesses. To mitigate these attacks, it is recommended that organizations employ multifactor authentication (MFA) as well as updating vulnerable software and systems, such as those that are commonly exploited by ransomware groups.


Over the July 4th holiday, REvil attacked Kaseya’s customers using a Sodinokibi payload that, amongst its many indicators of compromise (IOC), included a “Blacklivesmatter” registry entry.

Not long after, REvil seemingly disappeared from the dark web, potentially in an attempt to avoid law enforcement attention or as the result of some take down action.

Aside from being an interesting indicator of compromise (IOC) at the time, the “Blacklivesmatter” registry entry seemingly provides an early indication of things to come, namely the formation of a big game hunter ransomware group using the moniker, “BlackMatter,” that, based on our research, appears to be an amalgamation of REvil and Darkside’s team members and tradecraft. The groups exhibit strong similarities in their codebases, infrastructure configuration, techniques, and operating philosophies.

REvil and Darkside, as we know, have been two of the most prolific ransomware groups throughout 2020 and 2021, with landmark attacks on Colonial Pipeline and JBS as well as the infamous Travelex incident that saw the organization and their customers suffering disruption for months.


While mainly targeting Windows based systems, we have observed unique payloads targeting Linux systems, as well. Linux payloads don’t encrypt data; they act as remote access trojans (RATs) to pivot to other windows-based machines.

Since forming BlackMatter in mid-July 2021, the group’s first foray seemingly targeted a US-based architecture company in, or around, July 28, 2021, some three weeks after the Kaseya incident.

Figure 1 – Example BlackMatter Ransom Negotiations

BlackMatter offers threat actors and affiliates access to custom configurable binary payloads for each victim that include unique traits such as a tailored ransom note, often providing proof of the stolen data, as well as the victim’s name and their identifier.

Based on dark web posts by an identity purporting to be BlackMatter, the group is only interested in targeting businesses with more than $100M annual revenues and they are avoiding networks that were previously compromised by Darkside or REvil. To incentivize others to provide access to new potential victim networks, theoretically appealing to malicious insider threats as well as initial access operators, the group offers a $100K bounty.

As seen in REvil’s recruitment activity during 2020, BlackMatter have provided proof and reassurances of their ability to pay any would-be affiliate by depositing 4BTC (~$247K) with the forum.

Figure 2 - BlackMatter Forum Post
Figure 2 – BlackMatter Forum Post

Notably, the group appears to target organizations in English-speaking countries (explicitly listing Australia, Canada, the United Kingdom, and the United States) although they exclude healthcare and government institutions, likely to avoid local law enforcement action resulting from political pressure, especially in the wake of an attack that might be considered an act of cyber warfare.


Unlike many cyberattacks that rely on phishing to establish a foothold, BlackMatter appears to gain initial access primarily via the compromise of vulnerable edge devices and the abuse of corporate credentials obtained from other sources.

While it is possible that some edge cases may see the use of spear-phishing campaigns and malicious document payloads, leading to the compact ~80kb BlackMatter payload being dropped or downloaded, this has not been observed in any investigations we have conducted.

In addition to BlackMatter members exploiting infrastructure vulnerabilities, such as those found in remote desktop, virtualization and VPN appliances or servers, initial access operators affiliated with the group will likely bring their own TTP and may favor exploiting some vulnerabilities over others.

Additionally, the group are thought to make use of credentials obtained from other sources, such as third-party credential leaks, broad phishing campaigns or purchased from dark web marketplaces, taking advantage of credential reuse and exploiting organizations that don’t enforce multi-factor authentication on internet-facing services.

In many cases, BlackMatter and their affiliates appear opportunistic, happening on vulnerable organizations potentially based on their susceptibility to a preferred intrusion method rather than investing time and effort toward a specific target.

In other cases, it is apparent that BlackMatter has gained an extensive and intimate knowledge of the victim’s infrastructure with victim-specific ransomware configurations, including tailored process and service names to ensure they are terminated prior to the encryption phase, as well as an embedded list of high-privilege credential, these credentials may include domain administrator or service accounts that provide the the ability to access and encrypt data throughout the network.

What can we say about the payload?

  • Highly efficient multithreaded executable, written in C, that is only ~80kb in size.
  • Version 3.0 hides the configuration in different locations, making it harder to extract and analyze.
  • To hide execution flow, every function is decoded, loaded to memory, executed and then purged.
  • Relies on native Windows cryptography libraries, making the payload much smaller.
  • Encrypts files using a combination of Salsa20 and 1024-bit RSA keys.
  • Allows specified file extensions and filenames to be excluded from the encryption process, often to ensure that Windows will still boot.
  • Not specific to BlackMatter and previously used by Darkside and MedusaLocker, a four-year old ICMLuaUtil COM-based user account control (UAC) bypass impacting Windows 7 thru 10 is used to elevate privileges (due to it being considered a ‘feature’ by Microsoft, no fix will be released).
  • BlackMatter’s configuration allows previously acquired credentials to be specified and potentially used with the UAC bypass.
  • Enumerates and deletes shadow copies using the Windows Management Instrumentation Command-Line (WMIC) utility: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ShadowCopy
  • Victim ID along with the ransom note filename and encrypted file extension is based on the MachineGuid value within the Registry (HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid).
  • The resulting encrypted file extension includes nine mixed-case alphanumeric characters along with the ransom note being saved on the victim’s desktop and to c:\%extension%-README.txt, both of which may evade some dictionary-based detection methods.
  • Encryption process involves reading the target file, renaming it with the new extension, partially encrypting and re-writing 1024KB of data.
  • Enumerates Active Directory environments using native LDAP queries, specifically the built-in computers folder LDAP://CN=Computers to identify potential target machines.
  • Updates the victim’s desktop wallpaper to inform them of the situation:
Figure 3 – BlackMatter Wallpaper
  • Sets the Access Control List of encrypted files to “Everyone”, granting any and all users access.
  • To avoid detection and allow file encryption without interference of security controls, BlackMatter supports the use of Windows ‘safe-mode’ with the built-in local administrator account being enabled and set for automatic sign in along with the run-once Registry key being set to execute the BlackMatter payload.

The victim-specific ransom note advises the victim of both the data encryption and theft, advising them to install the TOR browser bundle so that the dark web negotiation site can be accessed.

Figure 4 - Ransom Note
Figure 4 – Ransom Note

In the past, REvil and Darkside have avoided the encryption of machines identified as being within countries that are members of the Commonwealth of Independent States (CIS), based on identifying the country code used by victim’s keyboard layout.

This, combined with early cybercrime forum posts indicating that only native Russian speakers are eligible to work with the group provides a strong indication that the founding members of the group originate and operated from within the region.

Notably, BlackMatter does not appear to perform the same geolocation checks, perhaps in an attempt to avoid association with the region and their past escapades.

Command and Control

The payload will communicate to command-and-control (C2) infrastructure over HTTPS, encrypted using AES. The victim sends a beacon including the machine name, OS version and CPU architecture, OS language, username, domain name, disk sizes, and potential encryption keys:

Figure 5 - C2 Communications
Figure 5 – C2 Communications

This communication was observed as impersonating the following user-agent strings that may be anomalous in some environments:

  • Mozilla/5.0 (Windows NT 6.1)
  • Firefox/89.0
  • Gecko/20100101
  • Edge/91.0.864.37
  • Safari/537.36

Payload Configuration

The BlackMatter configuration, seemingly a JSON structure, allows the payload to be tailored toward a specific victim including:

  • RSA public key to be used to encrypt the Salsa20 encryption key.
  • Company victim ID
  • AES Key to be used during Salsa20 key initialization (used later in file encryption).
  • Bot malware version, mentioning the payload version.
  • Odd Crypt Large Files – to further damage large files such as databases.
  • Need Make Logon – will attempt to authenticate using the mentioned credentials in the config.
  • Mount units and crypt – attempt to mount volumes and encrypt them.
  • Look for network shares and AD resources to attempt and encrypt them as well.
  • Processes and services exit prior to encryption to ensure maximum impact.
  • Creating mutex’s to avoid detection.
  • Preparing victim’s data and exfiltrating.
  • Dropping ransom notes post file encryption.
  • C2 domains to communicate over HTTP or HTTPS.
  • Setting a unique ransom note.
Figure 6 - Payload Configuration
Figure 6 – Payload Configuration


  • Enforce MFA wherever possible.
  • Keep backup plans well maintained and operational.
  • Employ Patch Management processes on externally facing appliances such as VPN’s.
  • Continuously assess external organization posture while looking for accessible devices, such as Exchange and vCenter servers.
  • Rotate users, admins and service accounts passwords while checking continuously for leaked credentials.
  • Prepare and practice Incident Response procedures for ransomware attacks.
  • Block the mentioned servers and IOC’s.

Indicators of Compromise (IOCs)

SHA256 Windows payloads:


SHA256 Linux payloads:



  • nowautomation[.]com
  • fluentzip[.]org
  • mojobiden[.]com
  • paymenthacks[.]com

IP addresses:

  • 99.83.154[.]118
Dvir Sason

Dvir Sason

Dvir manages the Varonis Research Team. He has ~10 years of Offensive & Defensive security experience, focusing on red teaming, IR, SecOps, governance, security research, threat intel, and cloud security. Certified CISSP and OSCP, Dvir loves to solve problems, coding automations (PowerShell ❤, Python), and breaking stuff.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.