When other parameters are set or any parameters are absent, the system is fully encrypted according to the configuration settings. Upon completing the encryption, the ransomware creates a BMP image alerting that files have been encrypted, which it then sets as the desktop wallpaper. Starting from version 1.4, the ransomware can also print the text of the demand for ransom on the victim's default printer.
When BlackMatter launches, it checks the rights of the current user and, if necessary, tries to bypass the UAC (User Account Control) through privilege escalation using the ICMLuaUtil COM interface. Also, if the appropriate flag is set in the configuration, it attempts to authenticate using the credentials contained in the configuration data.
Before starting the encryption, BlackMatter deletes shadow copies of partitions using WQL queries (WMI Query Language).
To encrypt files, BlackMatter uses the most efficient multithreading implementation based on the use of the I/O (input/output) completion port. The malware also sets the highest priority (THREAD_PRIORITY_HIGHEST) for the file enumeration and encryption streams. By default, only the first megabyte of file contents is encrypted. In earlier versions, data was encrypted using Salsa20. Apparently, the authors of BlackMatter, just like the authors of another extortionist Petya five years ago, made mistakes in the implementation of the Salsa20 algorithm. Starting from version 1.9, the contents of the files are encrypted already using a modified version of the implementation of the ChaCha20 algorithm, presumably taken from CryptoPP library. Furthermore, the ChaCha20 encryption algorithm is implemented using SSSE3 processor instructions. ChaCha20 keys are encrypted using the RSA-1024 public key. A data block with an encrypted key is appended to the end of the file. The names of the encrypted files are as follows: