BlackMatter ransomware group has been using a new data exfiltration tool designed to accelerate information theft. The tool, named Exmatter, is custom-made by the ransomware group using the DotNet framework.

What's new?

Symantec’s Threat Hunter team has discovered the custom tool that steals certain file types from selected directories and uploads them to a server before deploying the ransomware on the victim’s network.
  • To steal files, the tool obtains the names of logical drives on the victim’s computer and all file pathnames. However, the tool avoids anything under certain directories such as C:\Documents and Settings, and more.
  • It only steals certain specific file types, such as PDFs, spreadsheets, PowerPoints, and Word docs, and prefers to target files with recent LastWriteTime.
  • Once exfiltration is done, the tool overwrites the initial chunk of the file and makes sure to delete any traces of itself from the victim’s network.

According to researchers, the BlackMatter group is associated with the Coreid cybercrime group, which is believed to be behind the Darkside ransomware that led to the devastating Colonial Pipeline outage.

Multiple versions of the tool

Symantec has discovered multiple variants of the tool, implying that the attackers behind it have made efforts to make it more efficient and improve its functionality to speed up the process of data theft.
  • In one of the variants, the directory to avoid data was replaced with a different address on the exclusion list. Additionally, the variant has included .xlsm, and .zip file types in the inclusion list.
  • Another variant includes a WebDav client and the code structure implies that SFTP is the preferred protocol with WebDav acting as a backup. The WebDav client uses a fixed URL.
  • There was another variant of the custom tool that was observed with updated SFTP server information.


The development of multiple variants of the custom tool such as Exmatter for stealing information shows that the BlackMatter group is prioritizing exfiltration activities. By doing this, the stolen information can be used as leverage for ransom and even offered at dark web forums for money. Therefore, organizations are suggested to use robust anti-ransomware solutions to stay protected.

Cyware Publisher