BlackMatter Under the Lens: An Emerging Ransomware Group Looking for Affiliates

A new ransomware group is emerging on the darkweb, looking for affiliates to start its operations. This group calls itself BlackMatter and has posted ads on two cybercrime forums named Exploit[.]in, and XSS[.]is. The BlackMatter ransomware group is seeking cybercriminals already having access to the potential target’s networks. In RaaS, the ransomware group creates ransomware and a platform to manage the possible targets and victims.

CategorySurface Web
Risk ScoreHigh
TLP RatingWhite
APT GroupN/A
Threat NameBlackMatter
TargetFirms with revenue of $100 Million and
Affected RegionUnited States of America, Canada, Australia, and Great Britain.
Threat DescriptionNew ransomware group looking for affiliates for ransomware operations.
BlackMatter Threat Summary (Available to enterprise customers since July 21)

Technical Analysis:

Cyble Research Labs found the post on XSS[.]is by the threat actor named BlackMatter, as shown in Figure 1. In the post, the TA has mentioned the conditions required for affiliates to join them, which are as follows:

  • Corporate Networks should be from one of the following countries: the United States of America, Canada, Australia, and Great Britain.
  • They are targeting all organizations except the medical industry and government institutions.
  • The revenue of the target organization should be more than $100 million and should be having 500-1500 hosts.
  • The networks on which other actors have already tried attacks are excluded from the target list.
Figure 1 BlackMatter group posted an ad for affiliates posted on

The TA has given two options for affiliation. The first option offers to buy network access for an amount ranging from $3k to $100k. In the second option, affiliates may work with the group in place of a percentage in ransom. Once the affiliates are selected, they need to deposit $120,000 to the group to participate in their ransomware activity.

The TA has posted a similar threat post on another cybercrime forum named Exploit[.]in. The TA post is shown in Figure 2.

Figure 2 BlackMatter group posted an ad for affiliates posted on Exploit[.]in

We found that the leak website of the BlackMatter ransomware group is hosted in the TOR network (Figure 3). The Home page shows buttons for media updates and contact. The Home page displays the message, “All blogs hidden for now. For a very short time.” It indicates that the group has started its operations.

Figure 3: Home page of the BlackMatter Ransomware.

When we clicked on the button for media updates, we were redirected to the Media page, as shown in Figure 4. It also displays information such as excluded targets and messages to the media. Following is the list of excluded targets:

  • Hospitals.
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).
  • Oil and gas industry (pipelines, oil refineries).
  • Defense industry.
  • Non-profit companies.
  • Government sector.

Referring to the above list, we can say that the ransomware group is targeting private organizations so that they can continue their operations without getting media attention. We can imply that attackers are aware of the consequences of compromising highly sensitive targets. Based on rules and about us information given on the BlackMatter ransomware leak website, we suspect that this group has close connections with the DarkSide ransomware group. We presume that the group is only interested in the money.

Figure 4 Media page of the BlackMatter Ransomware group.

Figure 4 shows the contact page of the BlackMatter Ransomware through which people can contact the ransomware group.

Figure 5 Contact page of the BlackMatter Ransomware.


The BlackMatter ransomware group tries to gain access to critical servers from other threat actors in order to launch its campaign. Organizations should perform security scanning and immediate patching of known vulnerabilities using various processes such as Vulnerability Assessment and Penetration Testing (VAPT), Red teaming, and Purple teaming.

Cyble Research Labs is continuously monitoring BlackMatter activities. We will keep informing our clients with recent updates about this campaign.

Our Recommendations:

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit 

Comments are closed.

Scroll to Top