Blackmatter

Threat Actor updated 4 days ago (2024-11-29T14:37:38.963Z)

Download STIX

Preview STIX

BlackMatter, a threat actor in the cybersecurity realm, is known for its malicious activities and has been linked to several ransomware strains. The group emerged as a successor to the DarkSide ransomware, which was responsible for the high-profile attack on the Colonial Pipeline in May 2021. However, BlackMatter announced its shutdown in November 2021 due to increased law enforcement scrutiny. Despite this, the group's influence persists, with many of its affiliates actively participating in campaigns for different ransomware families, including newly emerged ones such as RansomHub. Moreover, BlackMatter has launched its own ransomware-as-a-service (RaaS) projects, notably Darkside and BlackMatter, following encounters with U.S. law enforcement. The emergence of LockBit 3.0, also referred to as LockBit Black, bears notable similarities to BlackMatter and Alphv (also known as BlackCat) ransomware. Research from Trend Micro indicates that parts of LockBit 3.0's code appear to be borrowed from BlackMatter ransomware, earning it the nickname LockBit Black. Notably, BlackMatter transferred the remainder of its victims' data to LockBit, which then took over existing extortion demands. This suggests a level of cooperation or shared resources among these threat actors. Despite the cessation of BlackMatter operations, the developers did not abandon their pursuit of lucrative ransomware opportunities. The group re-emerged a few months later only to shut down again four months later due to "pressure from the authorities." The continued evolution of these threat actors, their ability to adapt and rebrand, and their persistence in exploiting cybersecurity vulnerabilities underscore the ongoing threat they pose. As noted by cybersecurity experts, it would not be surprising if this group, with its traceable links to both DarkSide and BlackMatter, returns once more in the near future.

Description last updated: 2024-11-15T16:02:34.151Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
DarkSide is a possible alias for Blackmatter. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply across	9
Alphv is a possible alias for Blackmatter. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	8
Lockbit Black is a possible alias for Blackmatter. LockBit Black, also known as LockBit 3.0, is a malicious software that emerged in early 2022 following the release of its predecessor, LockBit 2.0 (or LockBit Red) in mid-2021. The malware has been developed to exploit and damage computer systems by encrypting files, often leading to ransom demands	5
Trigona is a possible alias for Blackmatter. Trigona was a significant strain of ransomware that emerged in 2022, known for its harmful effects on computer systems. The malware infiltrated systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it could steal personal information, disrupt ope	2
Hunters International is a possible alias for Blackmatter. Hunters International, an active threat actor group since October of the previous year, has been identified as a significant cybersecurity concern. The group has taken over and rebranded the Hive ransomware, despite their disputes about this association. This development followed the disbandment of	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Cybercrime

Extortion

RaaS

Source

Linux

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Blackmatter. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	is related to	9
The REvil Malware is associated with Blackmatter. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. Th	Unspecified	7
The Hive Malware is associated with Blackmatter. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	4
The Conti Malware is associated with Blackmatter. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal persona	Unspecified	4
The Black Basta Malware is associated with Blackmatter. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	2
The Ryuk Malware is associated with Blackmatter. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware inves	Unspecified	2
The Clop Malware is associated with Blackmatter. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitin	Unspecified	2
The Maze Malware is associated with Blackmatter. Maze is a form of malicious software, or malware, that pioneered a novel double-extortion tactic in the cyber threat landscape. Its modus operandi involves stealing victims' files before encrypting them, thereby enabling the threat actors to threaten both the disruption of operations and the release	Unspecified	2
The AvosLocker Malware is associated with Blackmatter. AvosLocker is a type of malware, specifically ransomware, known for its malicious intent to exploit and damage computer systems. This software often infiltrates systems undetected through suspicious downloads, emails, or websites, subsequently causing disruption in operations, theft of personal info	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Blackmatter. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	3
The Sangria Tempest Threat Actor is associated with Blackmatter. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restaura	Unspecified	2
The LockBitSupp Threat Actor is associated with Blackmatter. LockBitSupp, a prominent threat actor, has been identified as Russian national Dmitry Yuryevich Khoroshev. The group's activities have been under scrutiny due to its involvement in ransomware attacks and other cybercrimes. Khoroshev, who was operating under the aliases "LockBit" and "LockBitSupp," i	Unspecified	2
The Bl00dy Threat Actor is associated with Blackmatter. Bl00dy is a threat actor known for its malicious activities in the cyber world. The group, along with another threat actor called Black Basta, have recently been identified as exploiting bugs in ConnectWise ScreenConnect, a popular remote management tool. This exploitation has led to a significant i	Unspecified	2

Source Document References

Information about the Blackmatter Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	18 days ago	Crimeware and financial predictions for 2025
DARKReading	5 months ago	Security End-Run: 'AuKill' Shuts Down Windows-Reliant EDR Processes
BankInfoSecurity	5 months ago	Millions Affected by Prudential Ransomware Hack in February
CERT-EU	9 months ago	Ransomware's appetite for US healthcare sees known attacks double in a year \| Malwarebytes
CERT-EU	9 months ago	Ransomware Talent Surges to Akira After LockBit's Demise
BankInfoSecurity	9 months ago	Ransomware Talent Surges to Akira After LockBit's Demise
CERT-EU	9 months ago	The Great BlackCat Ransomware Heist
CERT-EU	9 months ago	Ransomware group behind Change Healthcare attack goes dark
CERT-EU	9 months ago	BlackCat ransomware turns off servers amid claim they stole $22 million ransom
CERT-EU	9 months ago	Healthcare in Crosshairs: ALPHV/Blackcat Ransomware Threat Escalates, FBI Issues Warning
CERT-EU	9 months ago	No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
CERT-EU	9 months ago	UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
BankInfoSecurity	9 months ago	No Big Reveal: Cops Don't Unmask LockBit's LockBitSupp
BankInfoSecurity	9 months ago	Who is LockBitSupp? Police Delay Promise to Reveal Identity
InfoSecurity-magazine	9 months ago	LockBit Infrastructure Disrupted by Global Law Enforcers
DARKReading	10 months ago	Kasseika Ransomware Linked to BlackMatter in BYOVD Attack
CERT-EU	a year ago	The Top 10 Ransomware Groups of 2023
CERT-EU	a year ago	Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	a year ago	Zeppelin Ransomware Source Code & Builder Sells for $500 on Dark Web