BLACKMATTER

once a BlackMatter operator gains access to a target’s network and is ready to deploy the ransomware, a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server

a scheduled task is set up that executes a PowerShell script... Change the default boot configuration to safe mode with networking, by running this command: bcdedit /set {current} safeboot network

a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server... The ransomware binary itself is base64 encoded and embedded inside the PowerShell script.

once a BlackMatter operator gains access to a target’s network and is ready to deploy the ransomware, a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server

Create the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon registry key and set it to 1... Create an entry under the HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ registry key

Change the default boot configuration to safe mode with networking, by running this command: bcdedit /set {current} safeboot network... When the ransomware has finished encrypting, it runs the following command... bcdedit /deletevalue {current} safeboot

Create an entry under the HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ registry key, using a random string starting with an asterisk

once a BlackMatter operator gains access to a target’s network and is ready to deploy the ransomware, a scheduled task is set up that executes a PowerShell script on a domain-accessible UNC path on a server

Change the default boot configuration to safe mode with networking, by running this command: bcdedit /set {current} safeboot network... When the ransomware has finished encrypting, it runs the following command... bcdedit /deletevalue {current} safeboot

Create an entry under the HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ registry key, using a random string starting with an asterisk

BlackMatter also attempts to elevate its privileges when it is limited by User Account Control (UAC). It does so via an elevated COM interface

When necessary, SilabRAT attempts to bypass Windows UAC (User Account Control) by elevating privileges using the ICMLuaUtil COM interface.

Like DarkSide (and REvil), BlackMatter uses a run-time API that can hinder static analysis of the malware. And like the other two ransomware groups, strings are also encrypted and revealed during runtime... stores configuration information in the binary in an encoded format.

The LockBit 3.0 ransomware uses a variety of anti-analysis techniques to hinder static and dynamic analysis... Several techniques are implemented for detecting the presence of a debugger and hindering dynamic analysis.

Create the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon registry key and set it to 1... Create an entry under the HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ registry key

SophosLabs decoded this and found that BlackMatter ransomware has a similar structure and information stored in the configuration blob, like lists of processes and services to kill

The BlackMatter ransomware collects information from victim machines, like hostname, logged in user, operating system, domain name, system type (architecture), language, as well as the size of the disk and available free space.

Description blackmailer ransomware accessing schcache due to creation of adsi object for its ldap query. MITRE ATT&CK Techniques ... Path: /datasets/attack_techniques/T1087.002/blackmatter_schcache/windows-sysmon.log

The LockBit 3.0 ransomware uses a variety of anti-analysis techniques to hinder static and dynamic analysis... Several techniques are implemented for detecting the presence of a debugger and hindering dynamic analysis.

The analyzed sample sends these details to a remote server hosted on paymenthacks.com

BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin.

Attackers move directly to deploying ransomware by editing a Group Policy.

where endpoint protection is typically not active, and perform the entire encryption attack there... The machine is restarted, although the abused Administrator account remains automatically logged in.

The following analytic detects the modification of registry keys related to the desktop wallpaper settings... This activity is significant as it can indicate ransomware behavior, such as the REVIL ransomware, which changes the wallpaper to display a ransom note.

BlackMatter terminates several productivity related processes before encryption begins... In the presence of robust endpoint protection software, the attacker can opt to use BlackMatter’s Safe Mode capability.

Via the -safe command-line switch, the BlackMatter ransomware can restart Windows into a diagnostic mode known as Safe Mode, where endpoint protection is typically not active, and perform the entire encryption attack there.