Ransomware.live - Group : Blackmatter

Ransomware Group:

Blackmatter

Sponsored by Hudson Rock – Use Hudson Rock's free cybercrime intelligence tools to learn how compromised credentials are impacting your business

Ransomware-as-a-Service

Sites

Title	Available	Last Visit	FQDN	Screenshot
BlackMatter	🔴	2021-11-04 21:45:29.471099	blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion	N/A

External information

CISA Alert aa21-291a

Tools used

Discovery	RMM Tools	Defense Evasion	Credential Theft	OffSec	Networking	LOLBAS	Exfiltration
							PrivatLab

This information is provided by Ransomware-Tool-Matrix

Yara Rules

Click here to open yara rules

Negotiation chats

Name	# Msg	Initial Ransom	Negotiated Ransom	Paid
20210907	77	N/A	N/A
20210829	44	N/A	N/A

This information is provided by Valéry Marchive

Ransom Note(s)

Click here to see Ransom Note(s)

Activity over time

32 Victims

National Beverage

Discovery Date: 2021-11-04 16:05

Sector:

Keycentrix

Discovery Date: 2021-11-04 16:05

Sector:

Jobbers Meat Packing Co., Inc.

Discovery Date: 2021-11-04 16:05

Sector:

Home State Bank

Discovery Date: 2021-11-04 16:05

Sector:

Armour Transportation Systems

Discovery Date: 2021-11-04 16:05

Sector:

ZKTeco USA

Discovery Date: 2021-10-04 07:15

Sector:

crystalvalley

Discovery Date: 2021-09-29 01:35

Sector:

Bumper to Bumper Autoparts

Discovery Date: 2021-09-21 09:14

Sector:

LA-Martiniquaise

Discovery Date: 2021-09-20 20:11

Sector:

JMclaughlin

Discovery Date: 2021-09-20 15:11

Sector:

CasagrandeGroup

Discovery Date: 2021-09-20 15:11

Sector:

BCP Securities

Discovery Date: 2021-09-20 15:11

Sector:

Pramer Baustoffe GmbH

Discovery Date: 2021-09-20 13:14

Sector:

Ellerboeck

Discovery Date: 2021-09-20 13:14

Sector:

Citrocasa GmbH

Discovery Date: 2021-09-20 13:14

Sector:

Actief-Jobmade

Discovery Date: 2021-09-20 13:14

Sector:

Eisvogel Hubert Bernegger GmbH

Discovery Date: 2021-09-20 11:10

Sector:

Pulmuone Co., Ltd.

Discovery Date: 2021-09-18 00:16

Sector:

Modern Testing Services

Discovery Date: 2021-09-17 18:11

Sector:

northwoods & spectrumfurniture

Discovery Date: 2021-09-17 09:13

Sector:

EQUITY TRANSPORTATION

Discovery Date: 2021-09-15 16:12

Sector:

River City Construction

Discovery Date: 2021-09-11 12:11

Sector:

hhcp.com

Discovery Date: 2021-09-09 23:46

Sector:

Network Telecom / Enreach

Discovery Date: 2021-09-09 23:46

Sector:

Pine Labs Pvt

Discovery Date: 2021-09-09 23:46

Sector:

Kaydon Corporation (SKF Group Brand)

Discovery Date: 2021-09-09 23:46

Sector:

tastefulselections & WFG

Discovery Date: 2021-09-09 23:46

Sector:

Middleton Reutlinger

Discovery Date: 2021-09-09 23:46

Sector:

g-able.com

Discovery Date: 2021-09-09 23:46

Sector:

Diamond Schmitt

Discovery Date: 2021-09-09 23:46

Sector:

Trust Capital Funding

Discovery Date: 2021-09-09 23:46

Sector:

Olympus

Discovery Date: 2021-09-08 00:00

Sector: Information Technology

×

Infostealer information available for

Employees(s)	Customer(s)	Third Party Employee(s)

This information is provided by HudsonRock

×

/*
BlackMatter ransomware
*/

import "elf"

rule DarkSide_BM
{
    meta:
        author = "rivitna"
        family = "ransomware.darkside_blackmatter"
        description = "DarkSide/BlackMatter ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $h1 = { 64 A1 30 00 00 00     // mov  eax, large fs:30h
                8B B0 A4 00 00 00     // mov  esi, [eax+0A4h]
                8B B8 A8 00 00 00     // mov  edi, [eax+0A8h]
                83 FE 05              // cmp  esi, 5
                75 05                 // jnz  short L1
                83 FF 01 }            // cmp  edi, 1

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}

rule BlackMatter
{
    meta:
        author = "rivitna"
        family = "ransomware.blackmatter.windows"
        description = "BlackMatter ransomware Windows payload"
        severity = 10
        score = 100

    strings:
        $h0 = { 80 C6 61              // add  dh, 61h
                80 EE 61              // sub  dh, 61h
                C1 CA 0D              // ror  edx, 0Dh
                03 D0 }               // add  edx, eax
        $h1 = { 02 F1                 // add  dh, cl
                2A F1                 // sub  dh, cl
                B9 0D 00 00 00        // mov  ecx, 0Dh
                D3 CA                 // ror  edx, cl
                03 D0 }               // add  edx, eax
        $h2 = { 3C 2B                 // cmp  al, 2Bh
                75 04                 // jnz  short L1
                B0 78                 // mov  al, 78h
                EB 0E                 // jnz  short L3
                                      // L1:
                3C 2F                 // cmp  al, 2Fh
                75 04                 // jnz  short L2
                B0 69                 // mov  al, 69h
                EB 06                 // jmp  short L3
                                      // L2:
                3C 3D                 // cmp  al, 3Dh
                75 02                 // jnz  short L3
                B0 7A }               // mov  al, 7Ah
                                      // L3:
        $h3 = { 33 C0                 // xor  eax, eax
                40                    // inc  eax
                40                    // inc  eax
                8D 0C C5 01 00 00 00  // lea  ecx, [eax*8+1]
                83 7D 0? 00           // cmp  [ebp+arg_0], 0
                75 04                 // jnz  short L1
                F7 D8                 // neg  eax
                EB 0? }               // jmp  short L2
                                      // L1:

    condition:
        ((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) and
        (
            (1 of ($h*))
        )
}

rule BlackMatter_Linux
{
    meta:
        author = "rivitna"
        family = "ransomware.blackmatter.linux"
        description = "BlackMatter ransomware Linux payload"
        severity = 10
        score = 100

    strings:
        $h0 = {                       // Loop:
                0F B6 10              // movzx edx, byte ptr [rax]
                84 D2                 // test  dl, dl
                74 19                 // jz    L1
                0F B6 34 0F           // movzx esi, byte ptr [rdi+rcx]
                40 38 F2              // cmp   dl, sil
                74 10                 // jz    L1
                48 83 C1 01           // add   rcx, 1
                31 F2                 // xor   edx, esi
                48 83 F9 20           // cmp   rcx, 20h
                88 10                 // mov   [rax], dl
                49 0F 44 C9           // cmovz rcx, r9
                                      // L1:
                48 83 C0 01           // add   rax, 1
                4C 39 C0              // cmp   rax, r8
                75 D7 }               // jnz   Loop
        $h1 = { 44 42 46 44               // mov   [rsp+var_1], 44464244h
                C7 4? [1-2] 30 35 35 43   // mov   [rsp+var_2], 43353530h
                C7 4? [1-2] 2D 39 43 46   // mov   [rsp+var_3], 4643392Dh
                C7 4? [1-2] 32 2D 34 42   // mov   [rsp+var_4], 42342D32h
                C7 4? [1-2] 42 38 2D 39   // mov   [rsp+var_5], 392D3842h
                C7 4? [1-2] 30 38 45 2D   // mov   [rsp+var_6], 2D453830h
                C7 4? [1-2] 36 44 41 32   // mov   [rsp+var_7], 32414436h
                C7 4? [1-2] 32 33 32 31   // mov   [rsp+var_8], 31323332h
                C7 4? [1-2] 42 46 31 37 } // mov   [rsp+var_9], 37314642h


    condition:
        (uint32(0) == 0x464C457F) and
        (
            (1 of ($h*)) or
            for any i in (0..elf.number_of_sections-2):
            (
                (elf.sections[i].name == ".app.version") and
                (elf.sections[i+1].name == ".cfgETD")
            )
        )
}