BlackMatter Ransomware Analysis, TTPs and IOCs

Keep up to date with latest blog posts


BlackMatter is a ransomware-as-a-service (RaaS) affiliate program launched in July 2021. "The project has incorporated in itself the best features of DarkSide, REvil, and LockBit," according to the BlackMatter ransomware group. They typically attack Windows and Linux servers and frequently collaborate with initial access brokers (IABs) to facilitate further exploitation. IABs are financially motivated threat actors who profit from the underground sale of remote access to corporate networks.

US CISA (Cybersecurity and Infrastructure Security Agency), FBI, and NSA issued a joint alert ​​ (AA21-291A)  on October 18, 2021, stating that the BlackMatter ransomware attack has targeted multiple U.S. critical infrastructure entities since its launch. Olympus, a Japanese tech giant, was also a victim of a BlackMatter ransomware attack in September 2021.

In this article, we analyzed tactics, techniques, and procedures utilized by the BlackMatter Ransomware Group to understand their attack methods and the impact of the ransomware. According to our analysis, BlackMatter extensively uses defense evasion techniques to stay under the radar of security controls and achieve their goals. This finding shows that IoC and signature-based approaches would not work against BlackMatter. Reasonable approaches to tackle these threats are behavior-based detection and proactive defense approach with attack simulation and security control validation.

Tactics, Techniques, and Procedures (TTPs) used by BlackMatter Ransomware

The BlackMatter ransomware group utilizes 26 techniques and sub-techniques under 11 tactics in the MITRE ATT&CK framework. They also use multiple procedures for some techniques. This section presents malicious behaviors of the BlackMatter ransomware group by categorizing them using the MITRE ATT&CK v9.0 framework.

1.Initial Access

The Initial Access tactic includes techniques used by attackers to gain an initial foothold within a network, such as exploiting vulnerabilities on public-facing web servers.

1.1. MITRE ATT&CK T1078 Valid Accounts

Threat actors obtain and abuse credentials of existing accounts to gain Initial Access, Persistence, Privilege Escalation, or DefenseEvasion. BlackMatter group gets initial access to the target network using previously compromised valid user or administrator accounts [1].


Techniques that result in adversary-controlled code running on a local or remote system are categorized under this tactic. It cannot be detached from others; execution techniques are often paired with techniques from all other tactics. For example, an adversary might use a Remote Access Tool (tactic: Command and Control) to run a PowerShell (tactic: Execution) script that does Remote System Discovery (tactic: Discovery).

2.1. MITRE ATT&CK T1106 Native API

Adversaries can execute behaviors directly through the native OS application programming interface (API) [2]. Native APIs enable controlled access to low-level kernel-level OS services, such as those involving hardware/devices, memory, and processes.

The BlackMatter ransomware as a service (RAAS) leverages Windows API by loading and accessing system DLLs associated with providing called functions, such as kernel.dll and ntdll.dll. It also uses Native API for a variety of operations, such as enumerating files and directories.

2.2. MITRE ATT&CK T1047 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. Adversaries abuse WMI to execute a wide range of functions.

BlackMatter ransomware uses the following WMI query to list volume shadow copies:

SELECT * FROM Win32_ShadowCopy


The Persistence tactic consists of techniques used by adversaries to maintain their foothold across system restarts, changed credentials, or patched vulnerabilities.

3.1. MITRE ATT&CK T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

When adversaries gain initial access to a system, they try to maintain their foothold to achieve persistence on the system. The Run Keys in the Registry and the Startup Folder in the Users directory are “old but gold” locations that are utilized by attackers for persistence. Adding an entry to the Run Keys or creating a shortcut in the Startup Folder is enough to execute malicious code when a user logs in.

BlackMatter sets RunOnce registry keys that enable programs to run each time a user logs in:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

4. Privilege Escalation

4.1 MITRE ATT&CK T1055 Process Injection

It is easy to detect malware processes by listing the running processes and filtering out legitimate ones that are part of the operating system or installed software. If the malware can encapsulate its malicious code within a legitimate process (if it can inject its malicious code in another process), it will hide on the infected system. Moreover, it can access the target process’s memory, system, and network resources. Thus, Process Injection is an “old but gold” technique that is used by attackers for defense evasion and privilege escalation [3].

The BlackMatter ransomware uses CreateRemoteThread and other API  functions to inject a shellcode in the svchost.exe process with the SYSTEM privilege  [4].

  • Enroll in our free MITRE ATT&CK Process Injection course in Purple Academy to learn how adversaries operate Windows Command Shell in their attacks and red and blue team exercises.

4.2. MITRE ATT&CK T1134.001 Access Token Manipulation

Adversaries modify access tokens, which are used by Windows to determine the ownership of a running process, to perform actions, and evade access controls by operating under a different user or system security context [5]. The BlackMatter group copies access tokens from the explorer.exe process by utilizing built-in Windows API functions.

5. Defense Evasion

Defense evasion consists of techniques that adversaries use to avoid detection by security controls.

5.1. MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools

Threat actors disable security tools to avoid their tools and activities being detected by defensive security controls. Adversaries disable security tools using various methods, such as killing their processes/services, adding/removing/modifying their registry keys, or using their components. BlackMatter disables endpoint security software-related services [4].

  • Enroll in our free MITRE ATT&CK Impair Defenses course in Purple Academy to learn how adversaries operate Windows Command Shell in their attacks and red and blue team exercises.

5.2. MITRE ATT&CK T1497 Virtualization/Sandbox Evasion

Adversaries may use a variety of techniques to detect and avoid virtualization and analysis environments [6]. This may include altering behavior in response to the detection of artifacts indicative of a virtual machine (VM) environment or sandbox. If the adversary detects a VM environment, they may modify their malware in order to disengage from the victim or conceal the implant's core functions.

The BlackMatter ransomware group uses a special code to detect debuggers by checking if a program is running in debugging mode. If BlackMatter detects a debugger, it will crash to avoid analysis.

Another anti-debugging method used by the BlackMatter ransomware is using the ZwSetInformationThread routine, which sets the priority of a thread [7]. ZwSetInformationThread (NtSetInformationThread) is the first anti-debugging API of Windows OSs [7], [8]. When passed as an argument, the class HideThreadFromDebugger can be used to prevent debuggers from receiving events (including breakpoints and program exits) from any thread that has this API called on it. Malware developers use these methods to detach a debugger from a malware process.

5.3. MITRE ATT&CK T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

The Windows User Account Control (UAC) mechanism enables a program to escalate its privileges to perform a task with administrator-level permissions, possibly prompting the user to confirm. Adversaries try to bypass Windows User Account Control (UAC) mechanisms for privilege escalation on the system [9]. 

The BlackMatter ransomware actors use CMSTPLUA COM (Component Object Model) interface and the COM Elevation Moniker to bypass UAC. CMSTP (the Microsoft Connection Manager Profile Installer) is a built-in Windows utility used to install Connection Manager service profiles (MITRE ATT&CK T1218.003 Signed Binary Proxy Execution: CMSTP). 

Attackers leverage auto-elevated CMSTP COM interfaces such as CMLUAUTIL and CMSTPLUA to bypass UAC, as used by BlackMatter. 

The COM Elevation Moniker enables applications that are running under UAC to activate COM classes (via the following format: Elevation:Administrator!new:{guid} ) with elevated privileges [10]. The LockBit ransomware also uses the same method to bypass UAC [11].

5.4. MITRE ATT&CK T1027 Obfuscated Files or Information

Adversaries obfuscate the contents of an executable or file to make their malicious content challenging to analyze or discover by encrypting, encoding, or otherwise obfuscating them on the system or in transit [12]. This is a typical behavior that can be used to evade defenses across different platforms and the network.

For example, the BlackMatter ransomware group searches for the ROT13 encoded versions instead of searching for module names directly [4]. So, the BlackMatter ransomware tries to hide which WinAPIs it relies on by resolving some of the required import functions by their hashes.

Moreover, this ransomware uses Base64 encoding to obfuscate its configuration.

5.5. MITRE ATT&CK T11140 Deobfuscate/Decode Files or Information

Attackers use Obfuscated Files or Information to obfuscate intrusion artifacts and prevent them from being analyzed, as explained in the previous technique. Depending on how they intend to use the information, they may require separate mechanisms to decode or deobfuscate it [13]. BlackMatter decodes its Base64 encoded configuration.

5.6. MITRE ATT&CK T1112 Modify Registry

Adversaries may interact with the Windows Registry in order to conceal configuration information within Registry keys or delete data from Registry as part of clean-up, persistence, or execution operations [14].

The BlackMatter ransomware deletes PROXYSERVER and PROXYOVERRIDE registry keys and set PROXYENABLE value as 00000000 in the following registry path to disable proxy:


BlackMatter also modifies the HKCU\Control Panel\Desktop\WallPaper registry key and sets its value as the image located in the %ALLUSERSPROFILE% directory, such as %ALLUSERSPROFILE%\syLRjIzRI.bmp. This wallpaper image includes a note from the BlackMatter ransomware gang, as shown in the below screenshot.


The syLRjIzRI.README.txt file, which is pointed in the wallpaper image, includes the following instruction.  It explains that the files were encrypted and stolen. So, the BlackMatter is a double extortion ransomware like DarkSide; in other words, they exfiltrate critical data before encrypting files and threaten the victim with the release of the exfiltrated data to encourage ransom payment.


When we went to the link in the ransomware text, we saw that the BlackMatter ransomware group demands $ 5,900,000 to decrypt files.


5.7. MITRE ATT&CK T1222 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Adversaries may modify the permissions/attributes of files or directories in order to circumvent access control lists (ACLs) and access protected files [15]. ACLs are frequently used to manage file and directory permissions. ACLs can be configured by the file or directory owner or by users with the appropriate permissions. Although implementations of file and directory ACLs vary by platform, they generally specify explicitly which users or groups are permitted to perform which actions (read, write, execute, etc.).

BlackMatter executes the following command to grant full access to the drive for encrypting files and other purposes [4].

icacls “<DriveLetter>:\*” /grant Everyone: F /T /C /Q

6. Credential Access

6.1. MITRE ATT&CK T1003.001 OS Credential Dumping: LSASS Memory

After compromising a system with elevated privileges, adversaries try to dump as many credentials as possible. The Credential Dumping technique enables adversaries to obtain account login and password information from the operating system and software. These credentials could grant a greater level of access, such as a privileged domain account, or the same credentials could be used on other assets.

The Local Security Authority Subsystem Service (LSASS) stores credentials of the logged-in users in memory to provide seamless access to network resources without re-entering their credentials. BlackMatter harvests credentials from LSASS memory using procmon [1].

  • Enroll in our free MITRE ATT&CK OS Credential Dumping course in Purple Academy to learn how adversaries operate Windows Command Shell in their attacks and red and blue team exercises.

7. Discovery

Adversaries use the techniques in the Discovery tactic to obtain information about the target environment, such as services, processes, network, files, software, system, accounts, domain, and registry.

7.1. MITRE ATT&CK T1012 Query Registry

Adversaries query the Windows Registry to get information about the system, configuration, and installed software. The BlackMatter ransomware gang obtains Cryptographic Machine GUID by querying the value of MachineGuid in the  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography key to generate a unique ID for each infected machine to avoid having multiple instances in the same victim machine.

7.2. MITRE ATT&CK T1057 Process Discovery

Adversaries obtain information about running processes to understand software and applications running on the system and shape follow-on behaviors. For example, BlackMatter uses the NtQuerySystemInformation function to enumerate all processes in the system to find explorer.exe for duplicating its token. 

7.3. MITRE ATT&CK T1007 System Service Discovery

Adversaries get information about registered services to shape subsequent behaviors. The BlackMatter ransomware utilizes the EnumServicesStatusExW function to enumerate running services.

7.4. MITRE ATT&CK T1083 File and Directory Discovery

Adversaries enumerate files and directories within a file system. For example, ransomware families use this technique to search for targets to encrypt. Command shell utilities, custom tools, or Native API can be used to employ this technique.

The BlackMatter ransomware utilizes Native API to gather file and directory information.

7.5. MITRE ATT&CK T1018 Remote System Discovery

Adversaries obtain a list of other systems on a network using their IP address, hostname, or another logical identifier that can be used for Lateral Movement from the current system.

The BlackMatter ransomware leverages the embedded valid credentials in the LDAP and SMB protocol to discover all hosts in the Active Directory (AD) [1]. 

7.6. MITRE ATT&CK T1082 System Information Discovery

Following initial access to a system, attackers need to gather information about the system to decide how to continue the attack [16]. They collect operating system (OS), hardware, host, and user information to shape follow-on actions.

BlackMatter discovers the version of the OS and the CPU (Central Processing Unit) architecture (32 or 64 bits). It uses the ZwQueryInformationProcess function with ProcessWow64Information class to determine whether the process is running in the WOW64 environment [17].

The BlackMatter ransomware also collects other system information, such as username, computer name, and the size of the hard disks.

8. Lateral Movement

The Lateral Movement tactic includes techniques that are used by adversaries to access and control remote systems (lateral movement) on the target network. To accomplish Lateral Movement, adversaries may use legitimate tools with valid accounts as well as their remote access tools.

8.1. MITRE ATT&CK T1021.0002 Remote Services: SMB/Windows Admin Shares

Adversaries can utilize Valid Accounts to communicate with a remote network share via the Server Message Block protocol (SMB) [18]. The adversary may then act as the logged-on user. SMB is a protocol for sharing files, printers, and serial ports between Windows machines on the same network or domain. Adversaries may use SMB to communicate with file shares, allowing them to move a network laterally.

BlackMatter enumerates shares using the srvsvc.NetShareEnumAll MSRPC function and connects to all discovered shares via SMB, including ADMIN$, C$, SYSVOL, and NETLOGON [1].  It remotely encrypts all discovered shares’ contents.

9. Command and Control

The Command and Control (C&C or C2) tactic includes techniques that adversaries may use to communicate with compromised systems within a victim network. In order to avoid detection, adversaries try to mimic legitimate traffic. They also use various channels, ports, and protocols for communication.

9.1 MITRE ATT&CK T1573.001 Encrypted Channel: Symmetric Cryptography

Adversaries conceal command and control traffic using a symmetric encryption algorithm rather than relying on any inherent protections provided by a communication protocol [19]. Symmetric encryption algorithms, such as AES, DES, and RC4,  encrypt and decrypt plaintext using the same key. Regardless of the algorithm used, these implementations may be vulnerable to reverse engineering if the key is encoded and/or generated within malware samples/configuration files.

The BlackMatter ransomware gang encrypts the data that will be sent to the Command and Control (C2) server using AES.

10. Exfiltration

Adversaries use techniques in the Exfiltration tactic to steal data from your network. They encrypt or compress the data to be exfiltrated and use different channels and protocols to avoid detection.

10.1. MITRE ATT&CK T1041 Exfiltration Over C2 Channel

In this MITRE ATT&CK technique, adversaries steal data by exfiltrating it over an existing C2 channel.  The BlackMatter ransomware group uses HTTP POST requests when the collected data is being exfiltrated to the C2 server.

11. Impact

11.1. MITRE ATT&CK T1486 Data Encrypted for Impact

Threat actors may encrypt data on target systems or on a large number of systems connected to a network to disrupt the system and network resource availability. They can make stored data unusable by encrypting files or data on local and remote drives, which is a common behavior of ransomware.

BlackMatter uses the following encryption schemes:

  • Salsa20 to encrypt the files.
  • RSA to encrypt Salsa20 keys.

Unfortunately, there is not a public BlackMatter ransomware decryption tool as of today.

11.2. MITRE ATT&CK T1490 Inhibit System Recovery

To prevent recovery, adversaries may delete built-in operating system data and disable services that aid in the recovery of a corrupted system. For example, deleting volume shadow copies is a typical behavior of ransomware. 

BlackMatter ransomware attacks utilize COM to delete all volume shadow copies on the system to prevent recovery. These samples don’t use well-known volume shadow copy deleting methods such as WMIC, vssadmin, and vbadmin to avoid detection. BlackMatter also deletes content from the recycle bin.

READ our blog post titled "An Underrated Technique to Delete Volume Shadow Copies - DeviceIoControl" to learn more about four methods used by ransomware threat groups to prevent the recovery of encrypted files from volume shadow copies.

11.3. MITRE ATT&CK T1489 Service Stop

Adversaries stop or disable services on a system to inhibit response to an incident or aid in the adversary's overall objectives [20]. BlackMatter disables endpoint security-related services on the system. These services are specified in the ransomware’s configuration.

How Picus Helps Simulate and Prevent Ransomware Threats

Picus Security Control Validation Platform offers a threat-centric security control validation and mitigation that allows security teams to proactively identify gaps in the network, endpoint, and cloud security controls.

Briefly, Picus is not just a Breach and Attack Simulation (BAS) tool; it also provides actionable vendor-specific and vendor-agnostic detection rules and prevention signatures to enable you quickly fix your security gaps.

Picus Threat Library includes 10.000+ threats. It includes 100+ adversary group and malware scenarios, such as DarkSide, Hafnium, Nobelium (UNC2452), APT7, APT38 (Lazarus), Sodinokibi, Ryuk, TrickBot, WastedLocker, and NetWalker. It also includes 700+ atomic attack scenarios to assess your defenses against MITRE ATT&CK techniques.

Picus provides risk-free adversary emulation. You can simulate these attacks to test your network, endpoint, and cloud security controls. Then, you can validate your security controls against these attack scenarios, such as BlackMatter. Picus identifies your gaps in both detection and prevention. Picus’ Detection Analytics feature shows log collection, detection, and alerting status about adversary techniques and visualizes on the MITRE ATT&CK Framework.

Picus also provides actionable mitigation content. Picus provides prevention signatures to address gaps in preventive security controls, log sources and log validation to address gaps in log generation and collection, detection rules and detection validation to address detection and alerting gaps. So, you can collect required logs, write detection rules, generate alerts using the mitigation content provided by Picus. Moreover, Picus presents search queries for threat hunting. So, you can use these queries to hunt for adversary TTPs, such as the DarkSide TTPs listed in this document, in your SIEM or EDR.

How Picus Helps Simulate and Prevent the BlackMatter Ransomware

We strongly suggest simulating BlackMatter ransomware to test the effectiveness of your security controls against ProxyShell attacks using the Picus Security Control Validation Platform. Picus Threat Library includes the following threats for the BlackMatter ransomware. 

Picus ID

Threat Name


BlackMatter Ransomware .EXE File Download Variant-1


BlackMatter Ransomware .EXE File Download Variant-2


BlackMatter Ransomware .EXE File Download Variant-3


BlackMatter Ransomware .EXE File Download Variant-4


BlackMatter Ransomware .EXE File Download Variant-5


Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address BlackMatter and other ransomware attacks in preventive security controls. 

Security Control

Signature ID

Signature Name

Check Point NGFW



Cisco Firepower NGFW



Cisco Firepower NGFW



Cisco Firepower NGFW



Cisco Firepower NGFW



Forcepoint NGFW



FortiGate NGFW



McAfee Network Security Platform (IPS)


MALWARE: Malicious File Detected by GTI

Palo Alto Networks NGFW



Palo Alto Networks NGFW



Palo Alto Networks NGFW



Palo Alto Networks NGFW



Palo Alto Networks NGFW



Palo Alto Networks NGFW



Snort IPS


MALWARE-TOOLS Win.Ransomware.BlackMatter variant

download attempt


The main goal of this study was to determine attack methods used by BlackMatter threat actors and the impact of their cyber attacks by examining Tactics, Techniques, and Procedures (TTPs) utilized in BlackMatter attack campaigns.

The study's most obvious finding is the extensive use of defense evasion techniques. Reasonable approaches to tackle these threats include behavior-based detection and a proactive defense approach with attack simulation and security control validation. Because the BlackMatter ransomware group and most of the other threat actors use known TTPs, simulating these TTPs to identify gaps in security controls and closing these gaps is the most effective and efficient way to defend against these attacks.

Picus Security Control Validation Platform simulates hundreds of TTPs in its Threat Library and gives actionable mitigation information, such as ready-to-use vendor-specific or vendor-agnostic detection rules, for each TTP for building a proactive defense against adversaries.

BlackMatter Ransomware IOCs (Indicators of Compromise)

SHA256 Hashes




[1] “BlackMatter Ransomware.”
[2] “Native API.”

[3] S. Özarslan, “MITRE ATT&CK T1055 Process Injection.”
[4] A. Mundo and M. Elias, “BlackMatter Ransomware Analysis; The Dark Side Returns,” 22-Sep-2021.
[5] “Access Token Manipulation.”
[6] “Virtualization/Sandbox Evasion.”
[7] barrygolden, “ZwSetInformationThread function (ntddk.h).”
[8] A. Attacker, “Anti-debugging Techniques Cheat Sheet - 0xAA - Random notes on security.”
[9] “Abuse Elevation Control Mechanism: Bypass User Account Control.”
[10] stevewhims, “The COM Elevation Moniker.”
[11] A. Zsigovits, “LockBit ransomware borrows tricks to keep up with REvil and Maze,” 24-Apr-2020.
[12] “Obfuscated Files or Information.”
[13] “Deobfuscate/Decode Files or Information.”
[14] “Modify Registry.”
[15] “File and Directory Permissions Modification: Windows File and Directory Permissions Modification.”
[16] S. Özarslan, “MITRE ATT&CK T1082 System Information Discovery.”
[17] Karl-Bridge-Microsoft, “ZwQueryInformationProcess function.”
[18] “Remote Services: SMB/Windows Admin Shares.”
[19] “Encrypted Channel: Symmetric Cryptography.”
[20] Service Stop.”


Keep up to date with latest blog posts