SentinelOne Vs. BlackMatter Ransomware – Kill and Quarantine

See how SentinelOne kills and quarantines BlackMatter ransomware. BlackMatter appeared on the ransomware scene in July 2021 with their stated interest in purchasing “Network Access to Businesses in the US, Canada, Australia, and Great Britain” from a well-known cybercrime forum. Researchers suspect BlackMatter is a direct successor to the infamous DarkSide Ransomware-as-a-Service. While there’s some circumstantial evidence to support this succession to some degree, a clear and definite link has not yet been established.

Current versions of BlackMatter exist for both Windows and Linux operating systems. The malware is highly obfuscated and employs numerous anti-analysis techniques. The authors have added functionality expected of advanced ransomware, like the ability to compromise systems while in safe mode thus bypassing some AV products. BlackMatter partially encrypts files, a feature it shares with other ransomware families including DarkSide. Partially encrypting files (instead of the entirety of the file) allows the ransomware to run through the system much quicker. By modifying a smaller part of the file contents in less time, the attackers hope to operate under the threshold of what security products consider malicious and thus increase their stealth. In addition, BlackMatter is able to infect available network resources, as well as Network Attached Storage (NAS) devices/platforms.

The group behind BlackMatter maintains a TOR-based blog, where the group tracks leaked data from ‘non-compliant’ victims. This is part of a double extortion technique. Victims have the added pressure of a potential leak of sensitive files on top of their systems being disabled by the ransomware.

#ransomware #cybersecurity #infosec #BlackMatter #endpointprotection #endpointsecurity