Description
BlackMatter ransomware group claims to be Darkside and REvil succesor.
8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac
General
Target
Size
Sample
8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac
5MB
211103-raaz9abbbk
Score
10 /10
MD5
SHA1
SHA256
SHA512
6bd9bcccf3b918b5b1b7d554f82c2fdf
06cadd71039666315102aa5e46f52c45bec453a8
8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac
c74a0c90f5c6e1f99f1aad0729b2fdb22e616d3070dca0852bc7f2c12b30703206f7bf171ef9e19807d7e9a9788cbc8416fb142fbdcd3625bc22c42acb73b176
Malware Config
Extracted
| Path | C:\6amPnJyPq.README.txt |
| Family | blackmatter |
| Ransom Note |
~+
* +
' BLACK |
() .-.,='``'=. - o -
'=/_ \ |
* | '=._ |
\ `=./`, '
. '=.__.=' `=' *
+ Matter +
O * ' .
>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.
>>> What data stolen?
From your network was stolen 50 GB of data.
If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media.
Blog post link: %BLOG_URL%
>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.
>> How to contact with us?
1. Download and install TOR Browser (https://www.torproject.org/).
2. Open http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5
>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
|
| URLs |
http://supp24maprinktc7uizgfyqhisx7lkszb6ogh6lwdzpac23w3mh4tvyd.onion/LEOYRMQLSRHFGFGYWF2T5 |
Extracted
| Family | blackmatter |
| Version | 2.0 |
| Botnet | 5791ae39aeab40b5e8e33d8dce465877 |
| Attributes |
attempt_auth false
create_mutex true
encrypt_network_shares true
exfiltrate false
mount_volumes true |
| rsa_pubkey.base64 |
|
| aes.base64 |
|
Targets
Target
MD5
Filesize
8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac
6bd9bcccf3b918b5b1b7d554f82c2fdf
5MB
Score
10/10
SHA1
SHA256
SHA512
06cadd71039666315102aa5e46f52c45bec453a8
8323fdfda08300c691d330badec2607ea050cc10ee39934faeebedf3877df3ac
c74a0c90f5c6e1f99f1aad0729b2fdb22e616d3070dca0852bc7f2c12b30703206f7bf171ef9e19807d7e9a9788cbc8416fb142fbdcd3625bc22c42acb73b176
Tags
Signatures
-
BlackMatter Ransomware
-
suricata: ET MALWARE BlackMatter CnC Activity
Description
suricata: ET MALWARE BlackMatter CnC Activity
Tags
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Description
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
Tags
-
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Description
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (nowautomation .com)
Tags
-
Modifies extensions of user files
Description
Ransomware generally changes the extension on encrypted files.
Tags
-
VMProtect packed file
Description
Detects executables packed with VMProtect commercial packer.
Tags
-
Enumerates connected drives
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
-
Sets desktop wallpaper using registry
Tags
TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks