After the demise of the DarkSide ransomware affiliate program, a vacuum was left in the market. This space was promptly filled by new groups such as Lockbit and BlackMatter. BlackMatter, the up-and-coming star of the ransomware scene, is thought to be DarkSide’s direct heir, from which it got some of its code. While no high-profile breach of BlackMatter have been published yet, BleepingComputer claims the group already netted a 4 million ransom payment.
Minerva’s research team obtained a recent BlackMatter sample, and in this blog, we will give some crucial details of the ransomware’s inner workings and evasion techniques.
Like most modern malware, BlackMatter employs string encryption and dynamic API function resolving, that is done to hinder static analysis. The ransomware’s API resolving routine is quite unique, as it will save resolved function pointers in an encoded form and decode them only when used.
A de-compilation of the API resolving function:
To further complicate the analysis, if a heap allocation ends with the integer 0xABABABAB the malware will not save the stub’s address in the reconstructed import address table. This will effectively crash the ransomware if it is running under a debugger. More information on why this technique works can be found here under “Heap Protection”.
Another anti-debugging technique used by BlackMatter is hiding threads using the NtSetInformationThread function with the parameter ThreadHideFromDebugger (0x11). This will cause a thread to “run away” from a debugger, resulting in an encrypted machine. It is worth mentioning that this exact technique is used by Lockbit 2.0, further strengthening the evidence that the two are linked.
Thread hiding code from BlackMatter:
Unlike other ransomware, BlackMatter will encrypt Russian devices. The sample we analyzed did not bother to check the computer’s locale before encrypting it. The malware does not care where it executes and will even encrypt a commercial sandbox.
Ransomware is seldom the initial payload of an attack, which must be resistant to security products, hence environmental awareness must be part of its repertoire. To evade security tools it will usually employ evasion techniques such as memory injection and ‘living off the land’. Minerva Labs prevents the initial payload from executing, thereby stopping threats like BlackMatter from gaining a foothold on the network in the first place.