BlackMatter Ransomware Claims to Follow REvil & DarkSide

BlackMatter, a new ransomware-as-a-service (RaaS), has appeared on the threat landscape and brought tools and techniques from DarkSide, REvil, and the still-active LockBit 2.0.

SophosLabs researchers took a closer look at the malware, which emerged after DarkSide RaaS shut down its operations after an affiliate hit Colonial Pipeline, and after REvil went dark after its attack on Kaseya. BlackMatter's operators claim their ransomware "incorporates the best features" of DarkSide, REvil, and LockBit 2.0," and while they are close to DarkSide operators, they are not the same group.

"There are a number of factors that suggest a connection between BlackMatter and DarkSide," states SophosLabs' Mark Loman in a blog post. "However, this is not simply a rebranding from one to another. Malware analysis shows that while there are similarities with DarkSide ransomware, the code is not identical."

Their similarities include a partial encryption scheme, which BlackMatter, DarkSide, and LockBit 2.0 all use. They only encrypt a portion of the entire file, which shortens the duration of an attack because a small amount of the file is read and overwritten.

Like REvil, LockBit 2.0, and DarkSide, BlackMatter tries to elevate privileges when limited by User Account Control. And like DarkSide and REvil, it uses a runtime API that can hamper static analysis of the ransomware. Researchers note that the way in which the runtime API and string decryption function in BlackMatter is similar to the same functionality in DarkSide and REvil.

Read the full blog post for more details on similarities in the ransomware.