SophosLabs: Research shows BlackMatter ransomware is familiar with DarkSide



The The Transform Technology Summits begin October 13 with Low-Code / No Code: Enabling Enterprise Agility. Register now!

New research from SophosLabs shows that there is a link between BlackMatter and the DarkSide ransomware. However, this is not just a case of rebranding. Sophos malware analysis shows that while there are similarities to DarkSide ransomware, the code is not the same.

Above: Here is a brief comparison of some of the abilities seen in the different groups.

At the end of July, a new RaaS appeared. Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as the still-active LockBit 2.0. They also say that while they know the Darkside operators closely, they are not the same people.

As the operators believed to be behind the ransomware have claimed, there are similarities to REvil and LockBit 2.0 ransomware as well. For example, in a shared similarity with REvil and Darkside, the BlackMatter ransomware stores configuration information in binary in an encoded format.

SophosLabs decoded this and discovered that BlackMatter ransomware has similar structure and information stored in the config blob like lists of processes and services to kill, ransom note, C2 details, directories to avoid, etc. Additionally, like DarkSide (and REvil), BlackMatter uses a runtime API which can hamper static analysis of malware.

Like the other two ransomware groups, the strings are also encrypted and revealed during execution. Sophos has also found a few distinct features of BlackMatter. One of them is its ability to reset file permissions so that anyone can see a document – due to the malicious encryption that ensues, this does not immediately cause a privacy breach.

However, the victims who pay the ransom note will receive a decryptor from the attacker which cannot restore the original access permissions because this security information has been lost. IT administrators should verify and enforce appropriate permissions when recovering from a BlackMatter ransomware attack.

It’s still early days for this new family of ransomware-as-a-service, but this research suggests that in the hands of an experienced attacker, this ransomware can cause a lot of damage without setting off many alarms. It is important that defenders investigate endpoint protection alerts early, as they can indicate an impending attack with potentially dire consequences.

These results are based on an in-depth analysis of BlackMatter malware by SophosLabs as well as a Sophos Rapid Response investigation into an incident involving BlackMatter ransomware.

Read it full report by SophosLabs


VentureBeat’s mission is to be a digital public place for technical decision-makers to learn about transformative technology and conduct transactions. Our site provides essential information on data technologies and strategies to guide you in managing your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the topics that interest you
  • our newsletters
  • Closed thought leader content and discounted access to our popular events, such as Transform 2021: Learn more
  • networking features, and more

Become a member


Leave A Reply

Your email address will not be published.