SophosLabs: Research shows BlackMatter ransomware is closely acquainted with DarkSide

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!

New research from SophosLabs shows that there is a connection between BlackMatter and DarkSide ransomware. However, this is not a simple case of rebranding. Sophos’ analysis of the malware shows that while there are similarities with DarkSide ransomware, the code is not identical.

Above: Here is a short comparison of some of the capabilities seen in the various groups.

In late July, a new RaaS appeared on the scene. Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil — adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. They also say that while they are closely acquainted with the Darkside operators, they are not the same people.

As the alleged operators behind the ransomware have claimed, there are also similarities with REvil and LockBit 2.0 ransomware. For example, in a shared similarity with both REvil and Darkside, BlackMatter ransomware stores configuration information in the binary in an encoded format.

SophosLabs decoded this and found that BlackMatter ransomware has a similar structure and information stored in the configuration blob, like lists of processes and services to kill, the ransom note, C2 details, directories to avoid etc. Additionally, like DarkSide (and REvil), BlackMatter uses a run-time API that can hinder static analysis of the malware.

Like the other two ransomware groups, strings are also encrypted and revealed during runtime. Sophos also found a few features that are distinct to BlackMatter. One of these is its ability to reset file permissions so that everyone can view a document – because of the malicious encryption that follows, this doesn’t immediately cause a breach of privacy.

However, victims who pay the ransom demand will receive a decrypter from the attacker that cannot restore the original access permissions as this security information has been lost. IT admins should check and re-enforce proper permissions when recovering from a BlackMatter ransomware attack.

It’s still early days for this new ransomware-as-a-service family, but this research suggests that in the hands of an experienced attacker, this ransomware can cause a lot of damage without triggering many alarms. It is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with potentially disastrous consequences.

These findings are based on a deep dive analysis of the BlackMatter malware by SophosLabs as well as a Sophos Rapid Response investigation into an incident involving BlackMatter ransomware.

Read the full report by SophosLabs


  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Source: Read Full Article