DarkSide Returns as BlackMatter Ransomware

You are currently viewing DarkSide Returns as BlackMatter Ransomware

The DarkSide operation went offline earlier this year following the Colonial Pipeline attack, but researchers have now discovered the virus has returned as BlackMatter Ransomware. The discovery was noted when encryption algorithms were found in a BlackMatter Ransomware decryptor, that is identical to Darkside. The DarkSide operators have been laying low since the Colonial Pipeline attack, which caused fuel shortages in the southeast of the USA. The gang faced scrutiny from international law enforcement and the US government.

In May, the gang shut down suddenly after losing access to their services, as well as access to their cryptocurrency as it was seized by an unknown third party. Later it was announced the FBI recovered 63.7 Bitcoins of the approximately 75 Bitcoin ($4 million) ransom payment made by Colonial Pipeline.

BlackMatter Ransomware first appeared last week, actively attacking victims and purchasing network space from other hackers from which to launch attacks.

BlackMatter Ransomware

Researchers at BleepingComputer discovered that the victims who were infected by BlackMatter Ransomware were hit with ransom demands from $3 to $4 million. It is confirmed that at least one victim paid $4 million to the BlackMatter Ransomware gang in exchange for the decryptor.

Further investigation was carried out by BleepingComputer and Emisosft CTO and ransomware expert Fabian Wosar.

Wosar confirmed that the BlackMatter Ransomware group is using the same unique encryption methods that DarkSide had used in their attacks.

In Wosars report he listed the similarities, most notable the same custom Salsa20 matrix unique to DarkSide.

When encrypting data using the Salsa20 encryption algorithm, a developer provides an initial matrix consisting of sixteen 32-bit words. Instead of using constant strings, a position, nonce, and key, for each encrypted file, both DarkSide and BlackMatter Ransomware fills the words with random data. Darkside used an RSA-1024 implementation unique to their encryptor, which BlackMatter Ransomware also uses.

While it is not confirmed that it is truly the same operation, both share the same code base, encryption, similar language on websites, a similar desire for media attention, and similar color themes for their TOR sites, it is highly likely BlackMatter Ransomware is a rebrand of Darkside.

Though Darksides reign was short-lived, they proved to be a highly skilled and adept group of hackers. With them now back on the scene, it is a danger to businesses everywhere.

BlackMatter Ransomware Analysis


This analysis of Darkside was carried out largely by researchers at Cybereason. It was completed before the gang retired. As BlackMatter and DarkSide share the same codebase, the analysis is valid.

Like many other ransomware variants, BlackMatter follows the double extortion trend, which means the threat actors not only encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid. This technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot.

Darkside Ransomware
Rules for those purchasing Darkside Ransomware

After gaining an initial foothold in the network, the attackers start to collect information about the environment and the company. If it turns out that the potential target is on the attacker’s list of prohibited organizations to attack (ie: hospitals, hospices, schools, universities, non-profit organizations, or government agencies), they don’t move forward with the attack.

If not on the prohibited list, the attackers continue to carry out the operation. The attackers begins to collect files, credentials and other sensitive information, and exfilitrate it. Following this, the attackers use PowerShell to download the BlackMatter binary as “update.exe” using the “DownloadFile” command, abusing Certutil.exe and Bitsadmin.exe in the process.

In addition to downloading the BlackMatter binary into the C:\Windows and temporary directories, the attacker also creates a shared folder on the infected machine and uses PowerShell to download a copy of the malware there.

After successfully gaining a foothold on one machine in the environment, the attacker begins to move laterally in the environment, with the main goal of conquering the Domain Controller (DC).

Once the attackers make it to the DC, they start to collect other sensitive information and files, including dumping the SAM hive that stores targets’ passwords

In addition to collecting data from the DC, the attackers use PowerShell to download the BlackMatter binary from the shared folder created on the previously infected host.

When the BlackMatter ransomware first executes on the infected host, it checks the language on the system, using GetSystemDefaultUILanguage() and GetUserDefaultLangID() functions to avoid systems located in the former Soviet Bloc countries from being encrypted.

Darkside Ransomware
Darkside Ransomware checking if the installed language is Russian

DarkSide then proceeds to stop the all services related to security and backup solutions. It then creates a connection to its C2 (command and control) server. After uninstalling the Volume Shadow Copy Service (VSS), DarkSide then deletes the shadow copies by launching an obfuscated PowerShell script that uses WMI to delete them.

The malware then enumerates the running processes and terminates different processes to unlock their files so it can both steal related information stored in the files and encrypt them.

DarkSide creates a unique User_ID string for the victim, and adds it to the encrypted files extension as follows:
<File_name>.{userid}. In addition, the malware also changes the icons for the encrypted files and changes the background of the desktop to all black, with the text “All your files have been encrypted!”


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply