BlackMatter Ransomware Quickly Fills Void Left by Darkside, REvil

istock 1343300092
Umnat Seebuaphan

In late July, a new Ransomware as a Service (RaaS), called BlackMatter, appeared on the scene. After the apparent retirement of previously devastating ransomware-as-a-service (RaaS) groups like Darkside and REvil, BlackMatter claims to fill the void left by these two services – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0.

“BlackMatter took all the good features from REvil and Lockbit 2.0 and Darkside,” says Mark Loman, Director, Engineering, for Next-Gen Technologies at Sophos. 

“What’s interesting is there is a competitiveness in the underground between ransomware gangs. They are promoting themselves now in various ways because they want all the other ransomware affiliates to move over to BlackMatter.”

In fact, the criminals are so serious about promotion that they conducted an interview with Recorded Future, boasting about how the malware combines all of the best features of other variants – and how it was developed after careful study of the other techniques. BlackMatter recently made headlines for attacking an Iowa-based provider of agriculture services called NEW Cooperative Inc. They demanded a $5.9 million ransom from the farming cooperative.

What’s different between BlackMatter and its predecessors? For starters, the BlackMatter gang claims to do a faster encryption of hijacked systems, according to Loman. But there is a lot of inspiration from the other ransomware variants, he says. For example, when victims are hit with the BlackMatter ransomware and the files on the drives are encrypted, BlackMatter sets a wallpaper that is very similar to DarkSide’s. During encryption, the BlackMatter ransomware’s file system activity and use of multithreading looks the same as DarkSide’s. 

Unlike DarkSide, the BlackMatter ransomware takes ownership of a document before encrypting it. Victims who pay the ransom demand will receive a decrypter from the attacker that cannot restore the original access permissions and the security information is lost. Loman says that means victims should check and re-enforce proper permissions when recovering from a BlackMatter ransomware attack. Another similarity with both REvil and Darkside is how BlackMatter ransomware stores configuration information.

Despite their similarities, Sophos researchers say BlackMatter is not simply a rebranding from one to another. Malware analysis shows that while there are similarities with DarkSide ransomware, the code is not identical. They caution that it causes a lot of damage without triggering many alarms and advise security leaders to keep on top of endpoint protection alerts, which can be an indicator if an imminent attack with devastating effects.

Learn how Sophos can help defenders protect against ransomware attacks at


Copyright © 2021 IDG Communications, Inc.