SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Breach Prevention
#
Cybersecurity
#
Firewall
Research uncovers connection between BlackMatter and DarkSide ransomware-as-a-service
Thu, 19th Aug 2021
FYI, this story is more than a year old
Author image
By Shannon Williams, Journalist
Follow us

New research has unveiled the likely connection between BlackMatter and DarkSide ransomware-as-a-service.

Sophos has published a new research article, BlackMatter emerges from the shadow of DarkSide, that provides technical details of similarities between BlackMatter and DarkSide ransomware. The research also highlights similarities with the REvil and LockBit 2.0 ransomware groups.

The findings are based on a deep dive analysis of the BlackMatter malware by SophosLabs as well as a Sophos Rapid Response investigation into an incident involving BlackMatter ransomware.

Among other things, the research details:

  • Newly uncovered features of BlackMatter ransomware
  • How BlackMatter resets file permissions on each document it encrypts to grant Full access to group Everyone
  • Technical details of how BlackMatter ransomware is deployed across the network 
  • Details of which processes are killed before the deployment of the ransomware
     

The tactics, techniques and procedures (TTPs) used by BlackMatter ransomware that are similar to those seen in one or more of DarkSide, REvil and LockBit 2.0, including, for instance:

  • A wallpaper reset to the ransom note that is technically very similar to DarkSides (and how the ransom notes compare)
  • An approach to multithreaded file encryption that resembles DarkSides
  • The abuse of Safe Mode that resembles the approach used by REvil 
  • User Account Control (UAC) privilege escalation like that seen in DarkSide and LockBit 2.0 attacks
  • The encryption of code strings to make static detection more difficult, similar to that seen in DarkSide and REvil
     

"Our research supports the assumption that there is a connection between BlackMatter and DarkSide ransomware," says Mark Loman, director of engineering at Sophos.

"However, this is not a simple case of rebranding. Our analysis of the malware shows that while there are similarities with DarkSide ransomware, the code is not identical," he explains.

"As the alleged operators behind the ransomware have claimed, there are also similarities with REvil and LockBit 2.0 ransomware.

"We also found a few features that are distinct to BlackMatter. One of these is its ability to reset file permissions so that everyone can view a document a setting that IT administrators need to remember to reset after files are restored," Loman says.

"It is still early days for this new ransomware-as-a-service family, but our findings suggest that in the hands of an experienced attacker, this ransomware can cause a lot of damage without triggering many alarms," he says.

"It is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with potentially disastrous consequences."

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
Jason Haddix joins Flare as Field Chief Information Security Officer
AI tools linked to data exposure in 1 in 5 UK organisations
Trend Micro introduces AI-driven cyber risk management features
Top stories
Australian businesses fast-track Microsoft cloud adoption amid cyber threats
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity