Story image

Research uncovers connection between BlackMatter and DarkSide ransomware-as-a-service

By Shannon Williams, 19 Aug 2021

New research has unveiled the likely connection between BlackMatter and DarkSide ransomware-as-a-service.

Sophos has published a new research article, BlackMatter emerges from the shadow of DarkSide, that provides technical details of similarities between BlackMatter and DarkSide ransomware. The research also highlights similarities with the REvil and LockBit 2.0 ransomware groups.

The findings are based on a deep dive analysis of the BlackMatter malware by SophosLabs as well as a Sophos Rapid Response investigation into an incident involving BlackMatter ransomware.

Among other things, the research details:

  • Newly uncovered features of BlackMatter ransomware
  • How BlackMatter resets file permissions on each document it encrypts to grant Full access to group Everyone
  • Technical details of how BlackMatter ransomware is deployed across the network 
  • Details of which processes are killed before the deployment of the ransomware
     

The tactics, techniques and procedures (TTPs) used by BlackMatter ransomware that are similar to those seen in one or more of DarkSide, REvil and LockBit 2.0, including, for instance:

  • A wallpaper reset to the ransom note that is technically very similar to DarkSides (and how the ransom notes compare)
  • An approach to multithreaded file encryption that resembles DarkSides
  • The abuse of Safe Mode that resembles the approach used by REvil 
  • User Account Control (UAC) privilege escalation like that seen in DarkSide and LockBit 2.0 attacks
  • The encryption of code strings to make static detection more difficult, similar to that seen in DarkSide and REvil
     

"Our research supports the assumption that there is a connection between BlackMatter and DarkSide ransomware," says Mark Loman, director of engineering at Sophos.

"However, this is not a simple case of rebranding. Our analysis of the malware shows that while there are similarities with DarkSide ransomware, the code is not identical," he explains.

"As the alleged operators behind the ransomware have claimed, there are also similarities with REvil and LockBit 2.0 ransomware. 

"We also found a few features that are distinct to BlackMatter. One of these is its ability to reset file permissions so that everyone can view a document a setting that IT administrators need to remember to reset after files are restored," Loman says.

"It is still early days for this new ransomware-as-a-service family, but our findings suggest that in the hands of an experienced attacker, this ransomware can cause a lot of damage without triggering many alarms," he says.

"It is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with potentially disastrous consequences."
 

Recent stories
More stories