blackmatter ransomware

A cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) with detailed information about the BlackMatter ransomware group targeting numerous U.S. critical infrastructure companies including U.S. food and agriculture sector companies. Included in the cybersecurity advisory are the technical details, analysis, and assessment of this ransomware threat along with several mitigation actions people can take to reduce the risk of a ransomware attack. BlackMatter first appeared in July 2021 as a ransomware-as-a-service with the intention of breaching business networks belonging to companies in the U.S., Canada, Australia, and the U.K. with a yearly revenue of at least $100 million.

Additionally, the ransomware operators were looking to buy access to company networks for at least $100,000 as long it doesn’t involve hospitals, critical infrastructure, non-profit, defense industry and government organizations. BlackMatter encrypted multiple companies’ systems in the U.S. and demanded $15 million in cryptocurrency. One ransomware variant analyzed in an isolated environment revealed that the threat actor used compromised administrator credentials to discover all the hosts in the victim’s Active Directory. Additionally, the variant used Microsoft Remote Procedure Call (MSRPC) function (srvsvc.NetShareEnumAll) allowing the threat actor to list all accessible network shares for each host.

According to the joint advisory, this BlackMatter variant would leverage the embedded credentials and SMB protocol to encrypt remotely from the original compromised host. BlackMatter can also encrypt VMware ESXi virtual servers from Linux-based systems. The advisory is warning companies that the BlackMatter group will wipe or reformat the backup data stores and appliances, whereas other ransomware threat actors will just encrypt them.

With information from TTPs associated with BlackMatter, the three agencies developed signatures for the open-source Snort network intrusion detection and prevention system to alert when a threat actor is attempting a remote encryption.


Intrusion Detection System Rule:

alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”;

content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44

00 4d 00 45 00 2e 00 74 00|”; distance:100; detection_filter: track by_src, count

4, seconds 1; priority:1; sid:11111111111; )


Inline Intrusion Prevention System Rule: 

alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”;

content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44

00 4d 00 45 00 2e 00 74 00|”; distance:100; priority:1; sid:10000001; )

rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1,

new_action reject, timeout 86400


CISA, the FBI, and the NSA released cybersecurity measures to counter BlackMatter ransomware attacks including basic password hygiene and mitigations methods to minimize the attack on the Active Directory. Companies are recommended to use strong, unique passwords for different accounts including admin, service, and domain administrators.  Companies should also use multi-factor authentication for all services that support the feature including webmail, virtual private networks, and accounts with access to critical systems. To minimize exposure to cybersecurity threats is to install security patches, one of the most efficient and cost-effective methods a business can implement.

The advisory includes the following mitigation advice:


CISA, the FBI, and NSA provide a set of supplementary mitigations critical infrastructure companies should consider prioritizing:


Emerging as the re-banded “Darkside” ransomware, BlackMatter is considered among the top threats known for stealing data before encrypting them and publishing them on their leak website unless the victim pays the ransom. With BlackMatter recently breaching various major corporations including Marketron, a business software solutions provider, NEW Cooperative, a U.S. farmers company, and Olympus, a medical technology organization, it’s more crucial for businesses to stay current with the latest threat landscape and take the necessary precautionary security measures to protect your networks.

At SpearTip, we offer companies our pre-breach and advisory services to prepare them for potential attacks and identify and improve security vulnerabilities. With our team of dedicated, certified engineers working at our Security Operations Centers 24/7, your network will be continuously monitored including weekends and holidays. SpearTip also offers a complete security suite for companies of any size. ShadowSpear, our endpoint detection and response tool, works in tandem with our Security Operations Center as a Services to help detect ransomware threats including BlackMatter and prevent them encrypting your company’s data.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.