A joint advisory has been released by several federal agencies to warn businesses regarding the re-emergence of BlackMatter malware that is taking the place of the infamous DarkSide RaaS.

The revival of DarkSide 

The joint advisory released by the CISA, FBI, and NSA states that DarkSide ransomware, which was behind the Colonial Pipeline attacks, has reassembled under the name of BlackMatter and is actively targeting new victims.
  • The advisory states that the Darkside group, which was active between September 2020 and May 2021, has closed shop. However, the actors behind it may still be operating under the moniker BlackMatter.
  • Federal agencies have further provided the TTPs derived from various samples of BlackMatter and warned businesses to improve their defenses by following the provided recommendations.

Tactics observed

Researchers have analyzed one of the BlackMatter ransomware variants in a sandbox environment to provide more insight regarding its recent tactics.
  • The ransomware uses admin/user credentials that were previously compromised. It further uses EnumServicesStatusExW and NtQuerySystemInformation functions to identify running services and processes.
  • It then exploits the SMB and LDAP protocol to identify all hosts in the AD and the Microsoft Remote Procedure Call (MSRPC) function to spot each host for available shares.
  • The ransomware uses stolen credentials and SMB protocol to remotely encrypt a compromised host, including all contents of the shares such as C$, SYSVOL, NETLOGON, and ADMIN$.
  • Moreover, attackers use a separate encryption binary for Linux-based machines and routinely encrypt ESXi VMs. Instead of encrypting backup systems, they wipe or reformat backup data stores and appliances.

Recent attacks by BlackMatter

  • In recent times, BlackMatter has hit NEW Cooperative and followed it up with an attack on arms supply and gain marketing Co-op Crystal Valley in the same week.
  • A month ago, the group targeted Olympus (the Japanese tech giant) with a ransomware attack.


  • BlackMatter’s tactics include the use of stolen credentials to get inside targeted networks. For this reason, some of the primary mitigations for defending against BlackMatter attacks are related to how organizations manage user authentication. 
  • The advisory provided detection signatures to spot BlackMatter activity on a network. It can be used to block the placement of the group’s ransom note and SMB traffic from the encryptor system for 24 hours.
  • Moreover, restricting access to resources over the network and applying network segmentation, along with traversal monitoring can stop the group from accessing and encrypting resources.
  • Remove unwanted access to administrative shares, such as ADMIN$ and C$, and use a host-based firewall to allow only a few connections to shares via SMB from a limited admin machine.

Ending note

The re-emergence of DarkSide ransomware as BlackMatter is indeed concerning. Experts recommend keeping an eye on the TTPs to stay aware of the latest tricks used by the threat group and implementing the recommended mitigation tips at the earliest.

Cyware Publisher