Cyble-BlackMatter-Ransomware-Financial-Information-Pine-Labs

​BlackMatter Ransomware Attack Impacting Multiple Financial Institutions

In the course of our routine threat hunting exercise, the Cyble Research Lab discovered that Pine Labs, an Indian merchant platform company that provides financing and last-mile retail transaction technology, was impacted by a ransomware attack. Our investigation showcased that the BlackMatter ransomware group is behind the attack on Pine Labs. The group has been garnering considerable media attention because of this attack.  

On August 5, 2021, Cyble Research Labs published a detailed technical analysis of the BlackMatter ransomware group. Cyble also covered BlackMatter’s activities separately, wherein the group was recruiting via cybercrime forums and seeking affiliates

The attack came into the limelight after the BlackMatter ransomware group updated its victim list on its leak website on August 10, 2021. The impact of this attack is significant, as initial investigations indicate that the incident has affected multiple financial institutions using Pine Labs services across India. 

Analysis  

Upon further analysis, we found that the attack exposed the following details: 

  • Service and other private agreements between multiple Indian banks/institutions and Pine Labs 
  • Multiple financial reports  
  • More than 500,000 unique records of contact information (leads): phone, name, e-mail 
Figure 1 Post by BlackMatter

Figures 2 and 3 shows the list of affected entities. 

Figure 2 Sample Data Showcasing Affected Banks 
Figure 3 Sample Data Showcasing Affected Banks 

Based on further analysis, we found that the data shared by the ransomware group contains their internal documents such as agreements with multiple institutions and other confidential information, as shown in Figures 4 and 5.   

Figure 4 Pine Labs Internal Document
Figure 5 Pine Labs Employee Details
Figure 6 Sample Data

Conclusion  

Ransomware groups continue to pose a serious threat to firms and individuals. Organizations need to stay ahead of the techniques used by Threat Actors. Victims of ransomware are at the risk of losing valuable data, which can further lead to financial loss and loss of reputation and productivity.  

Cyble Research Lab is continuously monitoring the activities of the BlackMatter ransomware group, and we will keep updating this space with new information.  

Our Recommendations 

  • Use the shared IoCs to monitor and block the malware infection. 
  • Use strong passwords and enforce multi-factor authentication wherever possible.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720 Hash SHA-256 
c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99 Hash SHA-256 
7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984 Hash SHA-256 
22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 Hash SHA-256 
mojobiden.com URL TA C2 
paymenthacks.com URL TA C2 
http:[//]supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion TOR URL TA Contact URL 

Disclaimer 

Cyble Research Lab is continuously monitoring the activities of the BlackMatter ransomware group, and we will keep updating this space with new information. Please also check the two advisories posted on Cyble Vision for a detailed analysis of the ransomware group. 

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com 

%d bloggers like this: