BlackMatter

1. Introduction

This module provides an overview of BlackMatter ransomware, including demonstrating the malware being executed on a Windows OS.

2. What is BlackMatter?

BlackMatter is a RaaS (Ransomware as a Service) provider that came to light in July 2021. It encrypts the victim's files and replaces file extensions with random strings of numbers and letters. BlackMatter is available as a RaaS on the dark web, allowing other attackers to use the ransomware and providing them with custom configurable binary payloads in order to customize their attacks for specific targets. The group behind the ransomware are financially motivated individuals who profit from the underground sale of the malware, which is used to extort money from organizations. BlackMatter affiliates often employ a double extortion tactic by also exfiltrating the data they have encrypted and threatening to leak it unless the ransom is paid.

Some variants of the malware have been known to change the victim's desktop wallpaper as shown here.

When attacked, the victim is provided with a dashboard on which they can see evidence of stolen data and individual ransom notes alongside other data such as victims' names and identifiers.

The BlackMatter group claims to fill the gap between the DarkSide and REvil ransomware groups — and their actions and behaviors are even similar to those of previous attacks carried out by both groups. McAfee claims that the people behind these groups are either the same or of a very close relationship. Specific similarities to DarkSide and REvil are the runtime API and string decryption, including a custom Salsa20 matrix that was unique to DarkSide. Coincidently, REvil disappeared from the dark web and then the BlackMatter group was formed.

The group behind BlackMatter tends to target Windows-based and Linux systems. Although, Linux payloads do not always encrypt data and are in those cases used as RATs (remote access trojans) instead, to gain access to Windows-based machines. It appears that the threat group behind BlackMatter is only interested in organizations with revenues of $100M or more, especially those based in the US, UK, Canada, Australia, India, Brazil, Chile, and Thailand. However, they do not target hospitals, critical infrastructure, water treatment facilities, the defense industry, government sectors, nonprofits, and the oil and gas industry. If any of these organizations do fall victim to attacks, BlackMatter offers free decryptors. They even offer a $100 bounty if other threat groups aid in their point of access to victims' networks.

On October 18, 2021, an alert was issued by the CISA, FBI, and NSA to warn that multiple US infrastructure entities had been targeted by BlackMatter, including food and agriculture sector organizations.

If a victim is under attack, the first thing they may notice is their desktop wallpaper being replaced with a message (as shown in the image above). Then, they will be directed to a README file that will instruct them to download a TOR browser and a TOR service where they can communicate with the attacker.

3. Typical Attack Vectors

BlackMatter relies on vulnerabilities within edge devices to gain initial access, such as those found in compromised Remote Desktop Protocol and VPN servers or appliances. This often comes down to encryption and how much the VPN leaks.

As well as compromised protocols, the BlackMatter group abuses corporate credentials which they can obtain from third-party leaks, phishing campaigns, and by purchasing them from the dark web. With this tactic, they are taking advantage of those accounts that do not use multifactor authentication.

Typically, BlackMatter affiliates are quite opportunistic in that they don't usually spend too much time investigating their target. Instead, they tend to seek out organizations that they feel may be vulnerable in accordance with how they (the attackers) wish to intrude the system.

4. Attacker TTPs

BlackMatter affiliates are known to employ various tactics, techniques, and procedures (TTPs) during exploitation. Below is an example of a fairly sophisticated BlackMatter attack kill chain that has been observed by the Cybersecurity and Infrastructure Security Agency (CISA) when investigating the ransomware.

• BlackMatter leverages external-facing remote services, such as RDP, not only to gain access but also as a means to establish persistence on the target network. The group is often able to use these services by accessing valid credentials obtained via a third party.
• The BlackMatter group has also been known to utilize credential dumping techniques to harvest credentials from LSASS memory, often using Windows Process Monitor. When obtained, harvested credentials may then be used to move laterally across the network.
• They also use a number of Discovery techniques to check what hosts, processes, or services are running. This is to further aid their lateral movement attempts. For example, they use native LDAP queries to discover hosts and the EnumServicesStatusExW API function to enumerate services.
• In order to move laterally, the group uses remote services, specifically, a Remote Procedure Call function, to enumerate all of the shares that were found through their Discovery techniques. They can then use SMB to interact with these shares, including ADMIN$, C$, SYSVOL, and NETLOGON, allowing them to move laterally throughout the network.
• Then, BlackMatter affiliates will attempt to exfiltrate data for extortion.
• The victim's files are encrypted via SMB protocol with a ransomware note in each directory that demands payment. On some occasions, BlackMatter will also perform a disk wipe on all backup systems.

5. Ransomware execution

Connect to the windows06 machine via the RDP shortcut on the Desktop

Once you have connected to the windows06 machine desktop, you should see the BlackMatter.exe file is present. Execute this file and watch the ransomware propagate as the machine becomes infected and the files are encrypted. Observe the changes to the file extensions after the BlackMatter executable is ran, and read the ransom note that gets dropped onto the desktop.

6. Encryption method

BlackMatter uses a combination of Salsa20 and 1024-bit RSA keys for encryption. Salsa20 is a fast stream cipher that is used by BlackMatter to encrypt the files. RSA is in turn used for encrypting the keys used for Salsa20. BlackMatter does not encrypt all files. They specify certain file names and extensions that they want to be excluded from the encryption process. This allows them to make sure that the system is not broken and that Windows is still bootable. They also employ a partial encryption scheme, which means that the whole file is not encrypted, just part of it. This speeds up the attack time as only part of the file needs to be read and then overwritten.

Directories excluded during encryption:

windows, system volume information, intel, $windows.ws, application data, $recycle.bin, mozilla, program files (x86), program files, $windows.bt, public, msocache, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old

Filenames excluded during encryption:

desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log

File extensions excluded during encryption:

themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu

The above exclusions are stored as hashes of corresponding strings in the BlackMatter configuration. DarkSide has an almost identical exclusion list which gives us another reason to believe the two are linked!

7. Security Questions

1. What type of OS does BlackMatter target?

2. What does RaaS stand for?

3. The BlackMatter group claims to fill the gab between what ransomware groups?

4. What does BlackMatter use Discovery techniques to check?

5. When BlackMatter is moving laterally across the network, what SMB shares are used to interact with the victim's machine? (Name one)

6. What URL is provided in the ransom note in order to contact the attacker?

7. As previously mentioned, BlackMatter encrypts the victim's files and replaces file extensions with random strings of numbers and letters. What is the string used in the attack on the windows06 machine?

8. What encryption method does BlackMatter tend to use?

8. Answers

1. Linux and Windows

2. Ransomware as a Service

3. REvil and Darkside

4. Processes, Services, Hosts

5. Admin$

6. http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV

7. lZPEh4fEk

8. Salsa20, 1024-bit RSA