"Who Is BlackMatter?"
Researchers have been piecing together information surrounding BlackMatter, the group behind the recent ransomware attack that targeted the Iowa-based farm services provider New Cooperative. The group claims to use the best tools and methods of DarkSide, REvil, and LockBit 2.0 groups. Researchers have been analyzing BlackMatter since it emerged in July 2021. Several reports have found connections between these groups. For example, McAfee researchers found BlackMatter's coding style to be similar to DarkSide, suggesting that the people behind it are the same or have a close relationship. Their analysis focused on version 1.2 of BlackMatter, but they noted that version 1.9 has a compile date of August 12, 2021, and the latest version, 2.0, has a compile date of August 16, 2021, showing that the malware developers are actively improving the code and making detection and analysis more difficult. According to a researcher at Sophos, when BlackMatter ransomware hits a victim's machine and encrypts files on the drives, it sets a wallpaper similar to the one DarkSide sets. BlackMatter is also similar to DarkSide and REvil in that it uses a runtime Application Programming Interface (API) that can prevent static analysis. The Sophos researcher pointed out that these techniques are common across recent malware, but BlackMatter's runtime API and string decryption functionality is similar to that of DarkSide and REvil. BlackMatter has published stolen data from 10 organizations on its leak site. The group appears to primarily target large and well-resourced organizations in the U.S., U.K., Canada, Australia, India, Brazil, Chile, and Thailand. This article continues to discuss key findings regarding the BlackMatter ransomware group.