Dissecting BlackMatter Ransomware

Recently, a new ransomware group has emerged and started posting multiple threads on cybercrime forums stating that they seek affiliates and partners. The Threat Actor (TA) behind this ransomware has used and enhanced techniques from the existing ransomware groups such as DarkSide, REvil, and LockBit. Cyble Research Lab has covered the overview and way of work of the BlackMatter ransomware group in an earlier Blog (BlackMatter Under The Lens: An Emerging Ransomware Group Looking For Affiliates).

The BlackMatter ransomware encrypts the document files and asks for ransom in exchange for the decryptor tool. Cyble Research Lab has identified that BlackMatter ransomware has used multiple anti-debugging and anti-analysis techniques. In this blog post, we are uncovering the notorious ransomware named BlackMatter.

Technical Analysis

Our static analysis found that the malware file is a GUI-based x86 architecture executable compiled on  2021-07-23 21:51:18, as shown in Figure 1.

Figure 1 Static Information About BlackMatter Ransomware

Cyble Research Lab has also found that the malware uses only three libraries: gdi32.dll, user32.dll, and kernel32.dll, as shown in Figure 2Furthermore, only a few APIs (Application Programming Interfaces) were present in the ransomware import table, as shown in Figure 3. 

Figure 2 Libraries Used by Ransomware
Figure 3 Import Table APIs List

Upon Execution, the ransomware does not create any subprocesses. Instead, it uses multiple threads, as shown in Figure 4.

Figure 4 Process Tree of Ransomware

Figure 5 shows the ransomware encrypted user document files with appended random (example .9F4wvLwwX) extension to all encrypted files.

Figure 5 Encrypted File Extension Renamed

The BlackMatter ransomware group also drops a ransom note on the victim’s machine to guide the victim through the communication process to TA in getting the decryption tool, as shown in Figure 6.

Figure 6 Ransom Note Dropped by Ransomware

Once the encryption process ends, the ransomware changes the wallpaper to show the message to the victim, as shown in Figure 7.

Figure 7 Message Shown to the Victim After Ransomware Infection Process Done

Cyble Research Lab also captured the traffic initiated by the ransomware to communicate and send data to TA Command & Control Server (C2), as shown in Figure 8.

Figure 8 Ransomware Communicating to C2

Dissection of BlackMatter Ransomware

Cyble Research Lab started with code and behavior analysis. As shown in Figure 9, the ransomware code is calling multiple functions.

Figure 9 Function’s Called in Ransomware

Furthermore, only five essential key functions are part of this ransomware, as shown in Figure 10.

Figure 10 Key Functions of the Ransomware

Figure 11 shows the function used to dynamically load all the additional libraries and APIs required by this ransomware.

Figure 11 Function Used for Loading Libraries and Resolving APIs

The above function is responsible for loading various system dynamic link libraries (.dll) and the required APIs present in every library. The dword_* points to the encrypted APIs required by this ransomware, as shown in Figure 12.

Figure 12 APIs in Encrypted Format

All other Libraries/DLL’s are then loaded after executing the subsequent function in sub_405E5C, as shown in Figure 13.

Figure 13 Libraries Loaded After Execution of Function sub_405E5C

The ransomware loads around 180+ Windows APIs, as shown in Figure 14. 

Figure 14 The APIs Resolved by the Function sub_405E5C

Upon execution, the ransomware creates a Mutex with the name 0d216858b68c0bcae655c2eaffeee2ad, as shown in Figure 15. The mutex’s function is used to ensure that only one instance of ransomware is running at a time.

Figure 15 Ransomware Creating Mutex

Cyble Research Lab has also noticed that the ransomware is deleting three windows services. These services are mainly responsible for Shadow Copies of the windows OS (Operating System), as shown in Table 1.

vmicvssHyper-V Volume Shadow Copy Requestor
vmvssVolume Shadow Copy service    
vssVolume Shadow Copy Service
Table 1 Service’s Deleted by Ransomware

As shown in Figure 16, the ransomware uses OpenServiceW API to control vmicvss and uses DeleteService API to delete the service. It is doing the same with other services previously shown in Table 1.

Figure 16 API Call to Open VMICVSS Service

Furthermore, the ransomware uses FindFirstVolumeW, FindNextVolumeW, and VolumeClose APIs to find the Windows Volume drive, as shown in Figure 17.

Figure 17 Finding the Volume

The malware also deletes the content of Recycle Bin, as shown in Figure 18.

Figure 18 Deleting Data from Recycle Bin

Figure 19 shows that the ransomware communicates to the Attacker’s C2 URL and sends the Victim’s System information in an encrypted format.

Figure 19 Ransomware sends System Information to C2

Figure 20 shows the collected system information in plaintext (JSON format) stored in memory.

Figure 20 The JSON Data which has been sent to C2

The ransomware is likely receiving a response from C2, which is then decoded to JSON format, as shown in Figure 21.

Figure 21 The Additional JSON Body Used by Ransomware

Additionally, the ransomware also uses the Restart Manager technique. This technique checks whether the targeted file is in use by another process. If so, it will end that process and encrypt the target file, as shown in Figure 22.

Figure 22 Ransomware using Restart Manager Technique

BlackMatter ransomware group uses standard ransomware encryption techniques, as shown in Figure 23.

Figure 23 General Infection Process of Ransomware

BlackMatter encrypts files, communicates, and shares collected system information to its C2 server and does data exfiltration or additional functionality based on the C2 command.


BlackMatter has used various sophisticated techniques to make the malware analysis hard. As per our initial analysis, the affiliates who target various organizations would get initial access to the victim organization infrastructure and execute the ransomware.

Cyble Research Labs continuously monitors BlackMatter activities and keeps informing our clients with recent updates about this campaign.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.    
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Conduct regular backup practices and keep those backups offline or in a separate network.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial access  T1566Phishing 
Execution   T1204User Execution
Discovery  T1082System Information Discovery
Defense EvasionT1497.003Time-Based Evasion
Inhibit System Recovery
Service Stop
Data Encrypted for Impact

Indicators of Compromise (IoCs):  

IndicatorsIndicator typeDescription
mojobiden[.]comURLTA C2
paymenthacks[.]comURLTA C2
http:[//]supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onionTOR URLTA Contact URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

%d bloggers like this: