Ransomware Profile: BlackMatter

Blackmatter profile - blog

BlackMatter is a strain of ransomware that encrypts files and threatens to leak stolen data if the ransom is not paid. The group targets large companies with annual revenues of more than $100 million and is actively recruiting affiliates as it ramps up its operations. BlackMatter may be a rebrand or spinoff of the now-defunct cybercrime outfit DarkSide due to the unique encryption routines employed by both ransomware groups.

What is BlackMatter? 

BlackMatter is a ransomware variant that encrypts files using Salsa20 and 1024-bit RSA encryption and demands a large sum of cryptocurrency for their decryption.  

As with many other ransomware groups, BlackMatter uses the threat of data exposure to increase the chances of achieving a payout. Before executing the final ransomware payload, BlackMatter operators exfiltrate data from compromised systems and threaten to release it on the group’s leak site unless the victim pays the ransom.  

BlackMatter operates as a ransomware-as-a-service (RaaS), a business model in which affiliates earn a portion of ransom payments in exchange for dropping the malware onto compromised systems. BlackMatter also works with initial access brokers, individuals who are willing to sell access to compromised networks. Initial access brokers are paid $3,000 – $100,000 for network access, depending on the target.  

Possible link between BlackMatter and DarkSide 

DarkSide is the ransomware gang responsible for the Colonial Pipeline attack in May 2021 that resulted in fuel shortages and price spikes across the U.S. Following unprecedented pressure from U.S. and Russian authorities, DarkSide was forced to shut down its operations a few weeks later.  

There is some evidence to suggest that DarkSide, or at least some members of DarkSide, may have returned under the BlackMatter moniker. After investigating a leaked BlackMatter decryptor, Emsisoft analysts determined that BlackMatter uses the same encryption routines that DarkSide formerly used in their attacks, including a custom Salsa20 matrix that was unique to DarkSide.  

The history of BlackMatter 

BlackMatter was first observed in late July 2021, when the alias “BlackMatter” was registered on the Russian-language cybercrime forums XSS and Exploit. The user deposited 4 bitcoins (worth approximately $150,000 USD at the time) into its Exploit escrow account, signaling their legitimacy and seriousness as a threat actor. Shortly after, the user posted an advertisement offering initial access brokers $3,000 – $100,000 for access to corporate networks that met the group’s criteria. 

In early September 2021, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordinating Council issued a threat brief on BlackMatter 


Ransomware submissions


Since BlackMatter was first discovered, there have been 44 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 176 BlackMatter incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of 10 organizations. 

BlackMatter ransom note  

After the encryption process is complete, BlackMatter drops a ransom note in user-accessible folders and changes the desktop wallpaper to a ransom notice. Some versions of the ransomware also print a physical copy of the ransom note by sending a print job from each infected endpoint to the default printer.  

The ransom note states that the victim’s files have been encrypted and provides instructions on how to communicate with the attackers. The note also specifies the type of data that was stolen during the attack, along with a “guarantee” that the threat actors will uphold their end of the bargain by decrypting the victim’s files and deleting the exfiltrated data after receiving payment. 

Below is a sample BlackMatter ransom note:  




>>> What happens? 

Your network is encrypted, and currently not operational. We have downloaded 1TB from your fileserver. 

We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. 


>>> What guarantees? 

We are not a politically motivated group and we do not need anything other than your money. 

If you pay, we will provide you the programs for decryption and we will delete your data. 

If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. 

We always keep our promises. 


>> Data leak includes 

  1. Full emloyeers personal data
  2. Network information
  4. Finance info


>>> How to contact with us? 

  1. Download and install TOR Browser (hxxps://www.torproject.org/).
  2. Open [URL REDACTED].


>>> Warning! Recovery recommendations.   

We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them. 

Who does BlackMatter target? 

BlackMatter targets large, well-resourced organizations. The group has attacked organizations located in the U.S., the U.K., Canada, Australia, India, Brazil, Chile and Thailand, although the list of impacted countries is growing.  


The BlackMatter group has developed versions of its ransomware for both Windows and Linux, enabling attackers to attack Linux-based environments including ESXi, Ubuntu, Debian and CentOS.   

BlackMatter claims that it does not attack certain industries as doing so would attract unwanted attention. This includes:  

If an entity in one of these industries is attacked (perhaps inadvertently or by an incautious affiliate), the group claims that it will provide free decryption.  

As always, any claims made by cybercrime groups should be met with skepticism. In addition, even if the group does provide free decryption to an impacted entity, recovery may still take days, weeks or months to complete. Such incidents can result in substantial disruption and financial loss; in the healthcare sector, it can mean loss of life.  

How does BlackMatter spread? 

BlackMatter attacks begin by breaching the target network, usually via compromised remote desktop protocol, phishing campaigns, exploiting known vulnerabilities or stolen credentials.  

When BlackMatter is executed, it verifies the rights of the current user. If privileges are restricted by User Account Control, the malware attempts to escalate its privileges using the ICMLuaUtil COM interface. This same technique is used by DarkSide and LockBit. After gaining the necessary privileges, BlackMatter terminates a number of productivity-related processes and deletes volume shadow copies of the targeted directories. Before the encryption begins, attackers also exfiltrate data, which is used as additional leverage to pressure victims into paying the ransom.  

During encryption, BlackMatter attempts to mount and encrypt unmounted partitions. It targets files stored locally and on network shares, as well as removable media, while ignoring specific directories, files and file extensions that are necessary for the device to function.  

As BlackMatter operates as a RaaS and can be distributed by many different affiliates, the exact anatomy of an attack can vary from incident to incident.  

Major BlackMatter attacks 

How to protect the network from BlackMatter and other ransomware   

The following practices may help organizations reduce the risk of a BlackMatter incident.

How to remove BlackMatter and other ransomware     

BlackMatter uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool. 

Victims of BlackMatter should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:     

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial


Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next