In the course of our routine threat hunting exercise, the Cyble Research Lab discovered that Pine Labs, an Indian merchant platform company that provides financing and last-mile retail transaction technology, was impacted by a ransomware attack. Our investigation showcased that the BlackMatter ransomware group is behind the attack on Pine Labs. The group has been garnering considerable media attention because of this attack.
On August 5, 2021, Cyble Research Labs published a detailed technical analysis of the BlackMatter ransomware group. Cyble also covered BlackMatter’s activities separately, wherein the group was recruiting via cybercrime forums and seeking affiliates.
The attack came into the limelight after the BlackMatter ransomware group updated its victim list on its leak website on August 10, 2021. The impact of this attack is significant, as initial investigations indicate that the incident has affected multiple financial institutions using Pine Labs services across India.
Analysis
Upon further analysis, we found that the attack exposed the following details:
- Service and other private agreements between multiple Indian banks/institutions and Pine Labs
- Multiple financial reports
- More than 500,000 unique records of contact information (leads): phone, name, e-mail
Figures 2 and 3 shows the list of affected entities.
Based on further analysis, we found that the data shared by the ransomware group contains their internal documents such as agreements with multiple institutions and other confidential information, as shown in Figures 4 and 5.
Conclusion
Ransomware groups continue to pose a serious threat to firms and individuals. Organizations need to stay ahead of the techniques used by Threat Actors. Victims of ransomware are at the risk of losing valuable data, which can further lead to financial loss and loss of reputation and productivity.
Cyble Research Lab is continuously monitoring the activities of the BlackMatter ransomware group, and we will keep updating this space with new information.
Our Recommendations
- Use the shared IoCs to monitor and block the malware infection.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| daed41395ba663bef2c52e3d1723ac46253a9008b582bb8d9da9cb0044991720 | Hash | SHA-256 |
| c6e2ef30a86baa670590bd21acf5b91822117e0cbe6060060bc5fe0182dace99 | Hash | SHA-256 |
| 7f6dd0ca03f04b64024e86a72a6d7cfab6abccc2173b85896fc4b431990a5984 | Hash | SHA-256 |
| 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6 | Hash | SHA-256 |
| mojobiden.com | URL | TA C2 |
| paymenthacks.com | URL | TA C2 |
| http:[//]supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid[.]onion | TOR URL | TA Contact URL |
Disclaimer
Cyble Research Lab is continuously monitoring the activities of the BlackMatter ransomware group, and we will keep updating this space with new information. Please also check the two advisories posted on Cyble Vision for a detailed analysis of the ransomware group.
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com
