We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
New research from SophosLabs shows that there is a connection between BlackMatter and DarkSide ransomware. However, this is not a simple case of rebranding. Sophos’ analysis of the malware shows that while there are similarities with DarkSide ransomware, the code is not identical.
In late July, a new RaaS appeared on the scene. Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil — adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. They also say that while they are closely acquainted with the Darkside operators, they are not the same people.
As the alleged operators behind the ransomware have claimed, there are also similarities with REvil and LockBit 2.0 ransomware. For example, in a shared similarity with both REvil and Darkside, BlackMatter ransomware stores configuration information in the binary in an encoded format.
SophosLabs decoded this and found that BlackMatter ransomware has a similar structure and information stored in the configuration blob, like lists of processes and services to kill, the ransom note, C2 details, directories to avoid etc. Additionally, like DarkSide (and REvil), BlackMatter uses a run-time API that can hinder static analysis of the malware.
Like the other two ransomware groups, strings are also encrypted and revealed during runtime. Sophos also found a few features that are distinct to BlackMatter. One of these is its ability to reset file permissions so that everyone can view a document – because of the malicious encryption that follows, this doesn’t immediately cause a breach of privacy.
However, victims who pay the ransom demand will receive a decrypter from the attacker that cannot restore the original access permissions as this security information has been lost. IT admins should check and re-enforce proper permissions when recovering from a BlackMatter ransomware attack.
It’s still early days for this new ransomware-as-a-service family, but this research suggests that in the hands of an experienced attacker, this ransomware can cause a lot of damage without triggering many alarms. It is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with potentially disastrous consequences.
These findings are based on a deep dive analysis of the BlackMatter malware by SophosLabs as well as a Sophos Rapid Response investigation into an incident involving BlackMatter ransomware.
Read the full report by SophosLabs
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.