BACK
ENGLISH
ENGLISH




03.11.2021

The Darker Things

BlackMatter and their victims
Andrey Zhdanov
Threat Hunter at Group-IB DFIR Team
Today, on November 3, BlackMatter gang announced it was shutting its Ransomware-as-a-Service program due to the "pressure from the authorities".

However, it doesn't mean that BlackMatter's affiliates will stop malicious activity. They will most likely join other RaaS programs. In addition, this might just be an attempt to have a fresh start under a different name. Just like BlackMatter was a rebranding of DarkSide, a new successor may appear soon. Therefore, given the similarities that we observed between DarkSide and BlackMatter ransomware back in August, it's important to be aware of the latest ransomware versions' features: malware configuration, encryption mechanisms in use etc.

For this purpose the experts from Group-IB's Digital Forensics and Incident Response Team analyzed new BlackMatter samples for Windows and Linux, Andrey Zhdanov, Group-IB's threat hunter, will share new data on his findings.
A US architectural firm was among the first to fall victim to BlackMatter in late July 2021. Since then, the BlackMatter operators' appetites have grown considerably, the frequency of attacks has increased, and the threat actors seem to have been constantly improving their tools. The average ransom demand is $5.3 million, with the maximum, which the attackers demanded from Japan's Olympus Corporation, reaching $30 million.
    BlackMatter affiliates try their best to pick their victims carefully, so as not to draw too much attention, but they are not exactly succeeding. Since the first BlackMatter attacks were reported, they have received a lot of very close attention from threat researchers. And on 18 October 2021, the CISA, FBI, and NSA issued joint recommendations, naming BlackMatter ransomware responsible for attacks on U.S. critical infrastructure that had begun in July 2021. As of November 2021, the list of BlackMatter victims consists of more than 50 companies based in the US, Austria, Italy, France, Japan, and other countries.
      BlackMatter for Windows
      Depending on command line parameters, ransomware for Windows can operate in five different modes. We were able to obtain command line arguments based on analysis of their hashes.
        -path [PATH] – encryption of the specified object (directory, file, network resource).

        -safe – self-registration in the RunOnce key of system registry, reboot for file encryption in safe mode.

        -wall – creating a BMP image with information about encryption of files and setting it as the desktop wallpaper.

        [PATH] – encryption of a specified directory/file.
        When other parameters are set or any parameters are absent, the system is fully encrypted according to the configuration settings. Upon completing the encryption, the ransomware creates a BMP image alerting that files have been encrypted, which it then sets as the desktop wallpaper. Starting from version 1.4, the ransomware can also print the text of the demand for ransom on the victim's default printer.

        When BlackMatter launches, it checks the rights of the current user and, if necessary, tries to bypass the UAC (User Account Control) through privilege escalation using the ICMLuaUtil COM interface. Also, if the appropriate flag is set in the configuration, it attempts to authenticate using the credentials contained in the configuration data.

        Before starting the encryption, BlackMatter deletes shadow copies of partitions using WQL queries (WMI Query Language).

        To encrypt files, BlackMatter uses the most efficient multithreading implementation based on the use of the I/O (input/output) completion port. The malware also sets the highest priority (THREAD_PRIORITY_HIGHEST) for the file enumeration and encryption streams. By default, only the first megabyte of file contents is encrypted. In earlier versions, data was encrypted using Salsa20. Apparently, the authors of BlackMatter, just like the authors of another extortionist Petya five years ago, made mistakes in the implementation of the Salsa20 algorithm. Starting from version 1.9, the contents of the files are encrypted already using a modified version of the implementation of the ChaCha20 algorithm, presumably taken from CryptoPP library. Furthermore, the ChaCha20 encryption algorithm is implemented using SSSE3 processor instructions. ChaCha20 keys are encrypted using the RSA-1024 public key. A data block with an encrypted key is appended to the end of the file. The names of the encrypted files are as follows:
          [FILENAME].[VICTIM_ID]

          FILENAME – is the original name of the file.

          VICTIM_ID – is the victim ID generated on the basis of the string contained in the MachineGuid value of the HKLM\SOFTWARE\Microsoft\Cryptography registry key.
          The BlackMatter configuration contains the names of directories, files and extensions skipped during the encryption process as lists of checksums (hashes).

          In each processed directory, the ransomware creates text files containing the demand for ransom:
          [VICTIM_ID].README.txt
          Configuration
          The BlackMatter configuration data for Windows is contained in a section disguised as a ".rsrc" resource section, but there are no resources in it.
          The first 64-bit number (0F8B2AB512017D0F5h) in the section represents the initial value for the pseudo-random sequence generator (random seed) used to encrypt the program data. The next 32-bit value represents the actual size of the configuration data. Prior to encryption, the configuration data was pre-compressed using the aPLib compression algorithm, which is popular among ransomware developers. Previously, this algorithm was found, for example, in such ransomware families as DarkSide, DoppelPaymer, Clop, and others.
          Configuration data after decryption and decompression.
          Logical flags that indicate the ransomware settings:
          Offset table of configuration parameter values.
          The table contains 32-bit numbers that represent offsets relative to the beginning of the list itself to the rest of the configuration data fields as Base64 strings, ending with a null byte. If the offset is 0, there is no field value.
          Known versions
          BlackMatter for Linux
          BlackMatter ransomware for Linux targets VMware ESXi servers. According to the settings in the configuration data, the ransomware can stop virtual machines and terminate specified processes before data encryption. The ransomware also disables the firewall. To encrypt virtual machine files, the ransomware uses the esxcli utility to obtain a list of storages with "vmfs", "vffs" and "nfs" file systems.

          BlackMatter for Linux implements multithreaded file encryption with the extensions specified in the configuration. Data is encrypted in blocks that are multiples of one megabyte using the HC-256 stream encryption algorithm. HC-256 keys are encrypted using the RSA-4096 public key. The CryptoPP crypto library is used to implement encryption algorithms.

          Data transferring to the attacker-controlled resources on the internet is implemented in the malware using the libcurl library.
          Configuration
          BlackMatter configuration data for Linux is contained in the ".cfgETD" section of the ELF file. The data is encrypted, compressed using the zlib data compression library, and encoded using Base64.

          Encrypted configuration data after Base64 decoding and zlib decompression:
            Configuration data is encrypted using a cyclic bytewise XOR operation using the key contained in the first 32 bytes.

            After decryption, the configuration data is in JSON format.
              Configuration parameters
              Known versions
              Victims and threat actors
              To identify its victims, BlackMatter uses a unique 16-byte identifier contained in the configuration data: company_id (Windows version) and bot-id (Linux version). For each victim, the attackers create a Tor chat room for communication. The link to this chat is specified in the text file containing the ransom demand.
              When the ultimatum expires, the threat actors double the ransom amount, and later publish the stolen documents after the victim refuses to pay.
              Initially, these chats were public, and many people were privy to the correspondence between BlackMatter "tech support" and their victims and even tried to outwit them.
              Source: https://twitter.com/ddd1ms/status/1441044423798820889
              On September 23, 2021, BlackMatter partners closed public access to chat rooms, and now a session key is required to log in, which requires verification of the company and confirmation of the victim's affiliation.
                Victimology
                Company_id IDs and Tor links extracted from the ransomware and text files containing the ransom demand.
                As mentioned above, BlackMatter partners are trying not to draw attention to their activities, so the threat actors choose small and medium-sized businesses as the targets of their attacks. However, the attacks on Olympus and NEW cooperative caused a public outcry.
                Indicators of compromise
                SHA-256
                YARA rules 
                
/*
BlackMatter ransomware
*/

import "elf"

rule DarkSide_BM
{
    meta:
        author = "Andrey Zhdanov"
        company = "Group-IB"
        family = "ransomware.darkside_blackmatter"
        description = "DarkSide/BlackMatter ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $h1 = { 64 A1 30 00 00 00 8B B0 A4 00 00 00 8B B8 A8 00
                00 00 83 FE 05 75 05 83 FF 01 }

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}

rule BlackMatter
{
    meta:
        author = "Andrey Zhdanov"
        company = "Group-IB"
        family = "ransomware.blackmatter.windows"
        description = "BlackMatter ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $h0 = { 80 C6 61 80 EE 61 C1 CA 0D 03 D0 }
        $h1 = { 02 F1 2A F1 B9 0D 00 00 00 D3 CA 03 D0 }
        $h2 = { 3C 2B 75 04 B0 78 EB 0E 3C 2F 75 04 B0 69 EB 06
                3C 3D 75 02 B0 7A }
        $h3 = { 33 C0 40 40 8D 0C C5 01 00 00 00 83 7D 0? 00 75
                04 F7 D8 EB 0? }

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}

rule BlackMatter_Linux
{
    meta:
        author = "Andrey Zhdanov"
        company = "Group-IB"
        family = "ransomware.blackmatter.linux"
        description = "BlackMatter ransomware Linux payload"
        severity = 10
        score = 100

    strings:
        $h0 = { 0F B6 10 84 D2 74 19 0F B6 34 0F 40 38 F2 74 10
                48 83 C1 01 31 F2 48 83 F9 20 88 10 49 0F 44 C9
                48 83 C0 01 4C 39 C0 75 D7 }
        $h1 = { 44 42 46 44 C7 4? [1-2] 30 35 35 43 C7 4? [1-2]
                2D 39 43 46 C7 4? [1-2] 32 2D 34 42 C7 4? [1-2]
                42 38 2D 39 C7 4? [1-2] 30 38 45 2D C7 4? [1-2]
                36 44 41 32 C7 4? [1-2] 32 33 32 31 C7 4? [1-2]
                42 46 31 37 }

    condition:
        (uint32(0) == 0x464C457F) and
        (
            (1 of ($h*)) or
            for any i in (0..elf.number_of_sections-2):
            (
                (elf.sections[i].name == ".app.version") and
                (elf.sections[i+1].name == ".cfgETD")
            )
        )
}
                How to protect your network against ransomware:
                • Make your remote access tools secure. Use multifactor authentication or at least set complex passwords and change them regularly.
                • Eliminate vulnerabilities in publicly accessible apps as soon as possible, especially those that could allow attackers to bypass the external perimeter.
                • Implement comprehensive email protection to detect and stem the most sophisticated threats. More
                • Monitor what your contractors do in your network. Providing them with remote access should be strictly regulated.
                • Instantly patch vulnerabilities on hosts on the internal network that attackers could leverage to escalate privileges or propagate across the network.
                • Monitor the use of dual-use tools that could help attackers conduct network reconnaissance, obtain authentication data, and much more.
                • Restrict access to cloud storage. This will help keep attackers from exfiltrating data from the corporate network.
                • Make sure all accounts have the least possible privileges on the systems. In case of an attack, this will make it difficult for threat actors to move laterally across the network.
                • Use separate accounts with multifactor authentication to access servers containing backups. Moreover, make sure that you have offline copies.
                • Implement a modern threat monitoring and blocking tool that will help contain and repel attacks at any stage of the kill chain. More
                For more information about attacks using manually controlled ransomware, see the Group-IB report " Ransomware 2020/2021":