Threat Actor Profile
BlackMatter
BlackMatter is a ransomware-as-a-service (RaaS) cybercrime group that first popped up in July 2021. Believed to be a rebrand of the notorious DarkSide group, BlackMatter quickly made a name for itself by targeting critical infrastructure. The group is known for leveraging previously compromised credentials to infiltrate networks and encrypt data, demanding hefty ransoms in Bitcoin and Monero.
Threat Actor Profile
BlackMatter
Country of Origin
Fancy Bear is widely attributed to state sponsorship by Russia. Evidence from malware compile times coinciding with Moscow's working hours and operational links to the GRU strongly support this attribution.
Members
The leadership structure of Fancy Bear remains obscured, typical for covert state-linked groups. However, the 6th Directorate of the GRU is believed to oversee its operations, with significant involvement from specialized cyber units like GRU Unit 26165.
Leadership
The exact size and composition of Fancy Bear are unknown. It is believed to involve trained military personnel with specialized cyber expertise, including developers, analysts, and operators focused on espionage and disinformation campaigns.
Blackmatter TTPs
Tactics
BlackMatter’s primary goal was financial gain through extortion. Their tactics revolved around a double-extortion model:
Encrypting Data: They would encrypt critical files and systems, disrupting the victim's operations.
Exfiltrating Data: Before encryption, they would steal sensitive data and threaten to leak it publicly if the ransom was not paid.
Their attacks were designed to create maximum pressure on victims, often targeting large, high-revenue corporations that couldn't afford significant downtime.
Techniques
To achieve their goals, BlackMatter operators employed a variety of techniques that demonstrate a sophisticated understanding of network infiltration and lateral movement.
-
Initial Access: They often gained entry by using legitimate remote management software and leveraging compromised user or admin credentials purchased from initial access brokers.
-
Discovery: Once inside a network, they used LDAP and SMB protocols to discover all hosts within the Active Directory. This allowed them to map out the entire network for their attack.
- Credential Dumping: The group was known to harvest credentials from the Local Security Authority Subsystem Service (LSASS) to escalate privileges and move laterally across the network.
Procedures
BlackMatter followed a specific set of procedures to execute their attacks efficiently.
Malware Deployment: The ransomware was deployed to encrypt both Windows and Linux-based systems, including ESXi virtual machines.
Network Enumeration: They used tools like NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, identifying security tools to disable.
Disabling Defenses: Before deploying the final payload, they would often wipe or reformat backup systems to prevent victims from restoring their data without paying the ransom.
Ransom Note: After encryption, a ransom note named [random_string].README.txt was dropped into each affected directory, instructing the victim on how to pay the ransom.
Blackmatter
Notable Cyberattacks
The most significant attack attributed to BlackMatter was the September 2021 ransomware incident targeting NEW Cooperative. This attack was a big deal because it threatened to disrupt the U.S. food supply chain. The attackers demanded a $5.9 million ransom. The incident highlighted the vulnerability of the agricultural sector to cyberattacks and triggered a joint advisory from CISA, the FBI, and the NSA, warning critical infrastructure organizations about the threat
BlackMatter Law Enforcement
The pressure is on for these ransomware gangs. Following a series of high-profile attacks, including those by DarkSide (BlackMatter's predecessor), international law enforcement agencies ramped up their efforts. In November 2021, BlackMatter announced it was ceasing operations, citing pressure from authorities and the disappearance of some team members. While no specific arrests were publicly linked directly to BlackMatter's core team at the time, the shutdown was seen as a direct result of increased scrutiny and operations against ransomware groups in Eastern Europe.
How to Defend Against BlackMatter
Enforce Multi-Factor Authentication (MFA): Compromised credentials are a gateway for ransomware. Enforce MFA on all critical services, especially VPNs, webmail, and admin accounts. No excuses.
Patch, Patch, Patch: Keep your operating systems, software, and firmware updated. Timely patching is one of the cheapest and most effective ways to close security holes.
Network Segmentation: Don't let attackers roam free. Segment your network to prevent the lateral movement that ransomware relies on. If they can't spread, they can't do much damage.
Backups Are Your Best Friend: Maintain offline, encrypted, and immutable backups of your data. Test your restoration process regularly to ensure you can recover quickly without paying a dime.
Limit Administrative Access: Implement the principle of least privilege. Remove unnecessary admin shares (like ADMIN$ and C$) and use just-in-time (JIT) access for privileged accounts.
The Huntress Managed Security Platform is built for this. We provide 24/7 monitoring from our human ThreatOps team to detect and stop attackers before they can deploy ransomware. Our platform identifies persistence mechanisms, credential dumping, and lateral movement attempts that automated tools often miss. We've got your back.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
