Ransomware-as-a-Service: BlackMatter emerges from the DarkSide shadow. In a new analysis, the experts at SophosLabs give an insight into the BlackMatter ransomware.
Accordingly, there are similarities to DarkSide Ransomware-as-a-Service (RaaS) and to other malware groups such as REvil and LockBit 2.0. Many functions are similar here, but details remain individual.
BlackMatter vs DarkSide RaaS
How are BlackMatter and the DarkSide RaaS related? Sophos publishes details based on Sophos Labs' analysis of BlackMatter malware and what the Rapid Response team learned from an incident involving BlackMatter. The analysis describes, among other things, new, previously undiscovered functions of BlackMatter Ransomware, such as how it resets the file permissions for every encrypted document in order to grant the group “Everyone” full access. It also includes details of how the malware is distributed across the entire network and information about the processes that are terminated before the ransomware is deployed.
BlackMatter ransomware tactics
In the investigation, the Sophos researchers also describe how the tactics, techniques and procedures (TTPs) used by the BlackMatter ransomware are similar to those used by DarkSide, REvil and LockBit 2.0. For example, there is a “reset” of the background image in the ransom note, which is technically very similar to DarkSide. An approach to multithreading file encryption also reminds DarkSide. The abuse of "safe mode", again, is very similar to the approach used by REvil. In addition, there is an extension of the rights of the user account control (UAC), as was already observed in the DarkSide and LockBit 2.0 attacks. DarkSide and REvil also already encrypt code strings to make static detection more difficult.
BlackMatter structure is similar to DarkSide
Mark Loman, Director of Engineering at Sophos, rates the results as follows: “Our analysis of the malware shows that although there are similarities to DarkSide ransomware, the code is not identical. As the alleged operators behind the ransomware have claimed, there are also similarities with REvil and LockBit 2.0. But we've also found some features that make BlackMatter different. One of them is the ability to reset file permissions so anyone can see a document. A setting IT administrators need to remember to reset after restoring files. "
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.