BlackMatter ransomware gains access through compromised vulnerable edge devices and using obtained corporate credentials. The ransomware members exploit the infrastructure vulnerabilities’ including remote desktop, virtualization and VPN appliances or servers. Some initial access operators affiliated with BlackMatter will bring their own Tactics, Techniques and Procedures (TTPs) and exploit some vulnerabilities. BlackMatter uses the obtained credentials to exploit companies that don’t enforce multi-factor authentication on internet-facing services. The group and their affiliates are opportunistic exploiting vulnerable organizations based on their susceptibility to an intrusion method instead of investing their time and effort toward a specific target. BlackMatter gained extensive and intimate knowledge of the victim’s infrastructure using victim-specific ransomware configurations including tailored process and service names, terminating them before the encryption process begins. They also use an embedded list of high-privilege credentials’ including domain administrator or service accounts providing the ability to access and encrypt valuable data throughout the network. The threat actors also use a separate encryption binary for Linux-based machines and encrypt ESXi virtual machines and they wipe or reformat backup data stores and appliances.