Back to Blog Home

FBI, CISA, and NSA Publish BlackMatter Ransomware Threat Report

Oct 21, 2021

By John Rote


On October 19th, 2021, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.  The advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.

In July 2021, a new ransomware gang started posting advertisements on various cybercrime forums announcing that it was seeking to recruit partners and claiming that it combined the features of notorious groups like REvil and DarkSide.  Named BlackMatter, the gang said it was specifically interested in targeting large companies with annual revenues of more than $100 million. However, the group said some industries were off limits: It would not extort healthcare, critical infrastructure, oil and gas, defense, non-profit, and government organizations.
BlackMatter is a Russian-speaking ransomware group became active on the Russian and English-language forums Exploit and XSS since July 19, 2021.  It also has a data leaks site, which as of July 30 only lists rules around targeting and does not contain any victims or victim data. Based on the information available, Flashpoint assesses that the group is operating out of the Russian Federation.  A representative from Recorded Future recently was informed in a BlackMatter interview that BlackMatter is learning from the mistakes of other ransomware groups, what they look for when they recruit partners, and why they avoid certain targets.

BlackMatter Timeline:


The front page of the BlackMatter leaks site contains a description of the group and a list of rules around how BlackMatter will target victims. The site claims they are a financially motivated threat actor group, and they rely on “honesty and transparency” when dealing with victims. The group said they would never attack a company twice and will always fulfill their obligations.  In addition to the information around targeting, the leaks site also expands on rules around targeting victims. The threat actor claims they will not target hospitals, critical infrastructure, the government sector, the defense industry, non-profit organizations and the oil and gas industry. 

BlackMatter, in addition to posting information about themselves and their operations, they also stated that they are looking for corporate network access, their requirements, their options for work, the type of work, and how much you must deposit for them to do the work.

The BlackMatter ransomware has successfully been tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86. The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs.

According to the advisory, BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.”  The variant of BlackMatter analyzed leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.  Additional information can be found at:


The inclusion of the Five Eyes countries in BlackMatter’s list of targets is notable, it is likely more financially motivated than strategic. The US, Canada, Australia, and the UK are ranked among the top ten most targeted countries for publicly reported incidents on ransomware blogs. Impacted organizations operating in these countries are generally more likely to have cyber insurance, and therefore may be more likely to pay a demanded ransom.

CISA, the FBI, and the NSA recommends implementing the following:

Additional recommendations: