Description
BlackMatter ransomware group claims to be Darkside and REvil succesor.
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
67KB
220124-aw5y3sggcq
1019e0151d6c55eeecf06443fa6197c7
369445caaca7ba44bc684f9d9fd7651467ed5167
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
7328cac56bce5a181bdaca079cd16c04dedb0f0201a40b0fcb6b0d7483440f99dc480b5d08bb295bc4c257bb16d88160e709ce8b76e2d2514080d05a82c7f6c8
Family | blackmatter |
Version | 1.2 |
Botnet | 512478c08dada2af19e49808fbda5b0b |
Credentials | Protocol: Host: Port: Username: aheisler@hhcp.com Password: 120Heisler Protocol: Host: Port: Username: dsmith@hhcp.com Password: Tesla2019 Protocol: Host: Port: Username: administrator@hhcp.com Password: iteam8** |
C2 |
https://paymenthacks.com http://paymenthacks.com https://mojobiden.com http://mojobiden.com |
Attributes |
attempt_auth true
create_mutex true
encrypt_network_shares true
exfiltrate true
mount_volumes true |
rsa_pubkey.base64 |
|
aes.base64 |
|
Path | C:\y2VGe3tGZ.README.txt |
Family | blackmatter |
Ransom Note |
~+
* +
' BLACK |
() .-.,='``'=. - o -
'=/_ \ |
* | '=._ |
\ `=./`, '
. '=.__.=' `=' *
+ Matter +
O * ' .
>>> What happens?
Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.
>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.
>> Data leak includes
1. Full emloyeers personal data
2. Network information
3. Schemes of buildings, active project information, architect details and contracts,
4. Finance info
>>> How to contact with us?
1. Download and install TOR Browser (https://www.torproject.org/).
2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV.
>>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
|
URLs |
http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/7NT6LXKC1XQHW5039BLOV |
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
1019e0151d6c55eeecf06443fa6197c7
67KB
369445caaca7ba44bc684f9d9fd7651467ed5167
84af3f15701d259f3729d83beb15ca738028432c261353d1f9242469d791714f
7328cac56bce5a181bdaca079cd16c04dedb0f0201a40b0fcb6b0d7483440f99dc480b5d08bb295bc4c257bb16d88160e709ce8b76e2d2514080d05a82c7f6c8
BlackMatter ransomware group claims to be Darkside and REvil succesor.
suricata: ET MALWARE BlackMatter CnC Activity
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (mojobiden .com)
suricata: ET MALWARE BlackMatter CnC Domain in DNS Lookup (paymenthacks .com)
Ransomware generally changes the extension on encrypted files.