Blackmatter ransomware: a super broad overview

I’d like to write about this activity from a broader view of an attack. This is because analysing any attack involving Blackmatter ransomware reveals a pattern of initial attack vector as well and their target profile aligns with the preconditions of the attack.

As a foreword though, they is not specific to the Blackmatter group, as they operate as an RAAS: Ransomware as a Service. The payload is prebuilt, customised and sold to affiliates with conditions. Affiliates then proceed to conduct attacks on their targets. Therefore, while there are operators, they essentially operate in the name of Blackmatter and have Blackmatter’s hand in all attacks. For example, the operator who attacked Olympus in 2021 is either unidentified, or their identity has not been publicly disclosed.

The attack pattern before inserting the Blackmatter ransomware payload is typically by compromising vulnerable edge devices such as routers and switches – essentially devices that allow entry or exit points from the network. Attack vectors also extend to remote desktops and VPNs however given the dissimilar group of operators, the initial entry exploits a different vulnerability.

In a technical analysis of the Blackmatter ransomware by Shahar Zelig, once the payload is delivered to the target system, “BlackMatter first enumerates all the computer accounts in Active Directory. Next it retrieves the attributes for each computer account, then enumerates the shares for each computer, and finally attempts to encrypt each available share.” (Dark Reading, 2022)

This analysis paved a quite simple solution to prevent further spread of the virus from the top, however, it doesn’t outright eliminate traces of the attack. An example of this would be that the patient zero machine would be infected, but machines not within the same environment as the compromised machine wouldn’t be affected or be remotely encrypted.

There were several vulnerabilities exploited, each not necessarily related or combined with the other for an attack. However, assumptions can be made based on who they choose to attack. Below is a listing advertised by the Blackmatter group on the dark web. It looks just like a normal classifieds yet we can ascertain the target requirements are affluent companies with revenues of $100 million+.

Further reading on Blackmatter can be found at: https://illusive.com/resources/threat-research-blog/preventing-blackmatter-ransomware-from-encryption-of-available-remote-share/>