cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Report reveals connection between BlackMatter and DarkSide ransomware

The BlackMatter emerges from the shadow of DarkSide report published by Sophos has uncovered technical details of similarities between BlackMatter and DarkSide ransomware.

user icon Nastasha Tupas
Tue, 10 Aug 2021
Report reveals connection between BlackMatter and DarkSide ransomware
expand image

The findings are based on a deep dive analysis of the BlackMatter malware by SophosLabs and Sophos Rapid Response investigation into an incident involving BlackMatter ransomware. The research also highlights similarities with the REvil and LockBit 2.0 ransomware groups.

According to Mark Loman, director of engineering at Sophos, the connection their research found that this is not a simple case of rebranding.

"Our analysis of the malware shows that while there are similarities with DarkSide ransomware, the code is not identical," Loman said.


"As the alleged operators behind the ransomware have claimed, there are also similarities with REvil and LockBit 2.0 ransomware.

"We also found a few features that are distinct to BlackMatter."

While the research supports the assumption that there is a connection between BlackMatter and DarkSide ransomware, one of the key features specific to BlackMatter is its ability to reset file permissions so that everyone can view a document – a setting that IT administrators need to remember to reset after files are restored.

The tactics, techniques and procedures (TTPs) used by BlackMatter ransomware are similar to those seen in one or more of DarkSide, REvil and LockBit 2.0, including a wallpaper “reset” to the ransom note that is technically very similar to DarkSide’s, an approach to multithreaded file encryption that resembles DarkSide’s, the abuse of “Safe Mode” that resembles the approach used by REvil, user account control (UAC) privilege escalation like that seen in DarkSide and LockBit 2.0 attacks and the encryption of code strings to make static detection more difficult, similar to that seen in DarkSide and REvil.

Additionally, the Sophos research details newly uncovered features of the BlackMatter ransomware including how BlackMatter resets file permissions on each document it encrypts to grant “Full” access to group “Everyone”, technical details of how BlackMatter ransomware is deployed across the network and details of which processes are killed before the deployment of the ransomware.

“It’s still early days for this new ransomware-as-a-service family, but our findings suggest that in the hands of an experienced attacker, this ransomware can cause a lot of damage without triggering many alarms," Loman added.

It is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with potentially disastrous consequences.”

[Related: Gigabyte reportedly suffers ransomware attack]

Nastasha Tupas

Nastasha Tupas

Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.