BlackMatter is the name given the most recent ransomware in the wild and equipped with the tools and techniques from DarkSide, REvil and LockBit 2.0 ransomware families.
BlackMatter is a new data encryption malware active since July 2021. The ransomware uses the most advanced techniques to make its analysis hard and avoid debugging strategies.
According to the BlackMatter website on the dark web, this ransomware has been active since July 28, 2021, and its operators are negotiating and purchasing access to internal networks. As observed in Figure 1, criminals have a rule section on the website (right-side) informing us that this malicious group will not attack hospitals, specific critical infrastructures, the defense industry and so on. [CLICK IMAGES TO ENLARGE]
Figure 1: BlackMatter ransomware website available on the dark web.
A publication on an underground forum was observed before the ransomware first showed up. The user with the name, “BlackMatter,” was looking for corporate networks of target countries within all the areas except medicine and state institutions.
Figure 2: Forum thread where criminals were looking for corporate networks to impact with their ransomware.
Digging into the ransomware details
BlackMatter ransomware uses the dynamic API resolving technique to resolve the