Protect Against BlackMatter Ransomware Before It’s Offered

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Insikt Group reverse-engineered the Linux and Windows variants of BlackMatter ransomware and provided a high-level overview of the functionality in addition to IOCs, utilities, and detections. The intended audience of this research is threat intelligence professionals and those interested in a technical overview of the new ransomware variant.

Executive Summary

Insikt Group analyzed Windows and Linux variants of BlackMatter ransomware, a new ransomware-as-a-service (RaaS) affiliate program founded in July 2021. During our technical analysis, we found that both variants accomplish similar goals of encrypting a victim’s files and appear to have been developed by a relatively sophisticated group. The Windows version of the ransomware employs several obfuscation and anti-reverse engineering techniques, suggesting that it was created by an experienced ransomware developer. BlackMatter’s Linux variant is another example of an emerging trend of malware targeting Linux-based systems, including ESXi and network-attached storage (NAS) devices. Recorded Future has provided reverse-engineering utilities, a YARA rule, and IOCs that organizations can use to hunt or detect the ransomware.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.