Recently, a new ransomware group has emerged and started posting multiple threads on cybercrime forums stating that they seek affiliates and partners. The Threat Actor (TA) behind this ransomware has used and enhanced techniques from the existing ransomware groups such as DarkSide, REvil, and LockBit. Cyble Research Lab has covered the overview and way of work of the BlackMatter ransomware group in an earlier Blog (BlackMatter Under The Lens: An Emerging Ransomware Group Looking For Affiliates).
The BlackMatter ransomware encrypts the document files and asks for ransom in exchange for the decryptor tool. Cyble Research Lab has identified that BlackMatter ransomware has used multiple anti-debugging and anti-analysis techniques. In this blog post, we are uncovering the notorious ransomware named BlackMatter.
Technical Analysis
Our static analysis found that the malware file is a GUI-based x86 architecture executable compiled on 2021-07-23 21:51:18, as shown in Figure 1.
Cyble Research Lab has also found that the malware uses only three libraries: gdi32.dll, user32.dll, and kernel32.dll, as shown in Figure 2. Furthermore, only a few APIs (Application Programming Interfaces) were present in the ransomware import table, as shown in Figure 3.Â
Upon Execution, the ransomware does not create any subprocesses. Instead, it uses multiple threads, as shown in Figure 4.
Figure 5 shows the ransomware encrypted user document files with appended random (example .9F4wvLwwX) extension to all encrypted files.
The BlackMatter ransomware group also drops a ransom note on the victim’s machine to guide the victim through the communication process to TA in getting the decryption tool, as shown in Figure 6.
Once the encryption process ends, the ransomware changes the wallpaper to show the message to the victim, as shown in Figure 7.
Cyble Research Lab also captured the traffic initiated by the ransomware to communicate and send data to TA Command & Control Server (C2), as shown in Figure 8.
Dissection of BlackMatter Ransomware
Cyble Research Lab started with code and behavior analysis. As shown in Figure 9, the ransomware code is calling multiple functions.
Furthermore, only five essential key functions are part of this ransomware, as shown in Figure 10.
Figure 11 shows the function used to dynamically load all the additional libraries and APIs required by this ransomware.
The above function is responsible for loading various system dynamic link libraries (.dll) and the required APIs present in every library. The dword_* points to the encrypted APIs required by this ransomware, as shown in Figure 12.
All other Libraries/DLL’s are then loaded after executing the subsequent function in sub_405E5C, as shown in Figure 13.
The ransomware loads around 180+ Windows APIs, as shown in Figure 14.Â
Upon execution, the ransomware creates a Mutex with the name 0d216858b68c0bcae655c2eaffeee2ad, as shown in Figure 15. The mutex’s function is used to ensure that only one instance of ransomware is running at a time.
Cyble Research Lab has also noticed that the ransomware is deleting three windows services. These services are mainly responsible for Shadow Copies of the windows OS (Operating System), as shown in Table 1.
| Service | Description |
| vmicvss | Hyper-V Volume Shadow Copy Requestor |
| vmvss | Volume Shadow Copy service |
| vss | Volume Shadow Copy Service |
As shown in Figure 16, the ransomware uses OpenServiceW API to control vmicvss and uses DeleteService API to delete the service. It is doing the same with other services previously shown in Table 1.
Furthermore, the ransomware uses FindFirstVolumeW, FindNextVolumeW, and VolumeClose APIs to find the Windows Volume drive, as shown in Figure 17.
The malware also deletes the content of Recycle Bin, as shown in Figure 18.
Figure 19 shows that the ransomware communicates to the Attacker’s C2 URL and sends the Victim’s System information in an encrypted format.
Figure 20 shows the collected system information in plaintext (JSON format) stored in memory.
The ransomware is likely receiving a response from C2, which is then decoded to JSON format, as shown in Figure 21.
Additionally, the ransomware also uses the Restart Manager technique. This technique checks whether the targeted file is in use by another process. If so, it will end that process and encrypt the target file, as shown in Figure 22.
BlackMatter ransomware group uses standard ransomware encryption techniques, as shown in Figure 23.
BlackMatter encrypts files, communicates, and shares collected system information to its C2 server and does data exfiltration or additional functionality based on the C2 command.
Conclusion
BlackMatter has used various sophisticated techniques to make the malware analysis hard. As per our initial analysis, the affiliates who target various organizations would get initial access to the victim organization infrastructure and execute the ransomware.
Cyble Research Labs continuously monitors BlackMatter activities and keeps informing our clients with recent updates about this campaign.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial access | T1566 | Phishing |
| Execution   | T1204 | User Execution |
| Discovery  | T1082 | System Information Discovery |
| Defense Evasion | T1497.003 | Time-Based Evasion |
| Impact | T1490 T1489 T1486 | Inhibit System Recovery Service Stop Data Encrypted for Impact |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720 | Hash | SHA-256 |
| c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99 | Hash | SHA-256 |
| 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984 | Hash | SHA-256 |
| 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 | Hash | SHA-256 |
| mojobiden[.]com | URL | TA C2 |
| paymenthacks[.]com | URL | TA C2 |
| http:[//]supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion | TOR URL | TA Contact URL |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.