Security Experts:

BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool

The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.

Dubbed Exmatter, the custom tool allows BlackMatter ransomware-as-a-service (RaaS) operators to easily target data of value from the compromised systems, which suggests they are looking to make their attacks faster.

Exmatter has been designed to grab specific file types from selected directories and to upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems.

Compiled as a .NET executable, the tool attempts to hide its window if specific command line arguments are found. It then proceeds to collect all drive names and file paths on the system, excluding specific directories, files with specific attributes and files of less than 1,024 bytes in size.

The attackers have been working on refining Exmatter, with multiple variants of the tool observed to date, but with only minor differences between them, Symantec said in a Monday report.

Since July 2021, BlackMatter has been used in attacks on multiple organizations worldwide, including critical infrastructure entities in the United States.

BlackMatter has been linked to the Coreid cybercrime group, which also operated the Darkside ransomware. Over the past 12 months, the group has been engaged in a variety of high-profile attacks, such as the May 2021 assault on Colonial Pipeline.

“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand. Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group,” Symantec concludes.

Related: U.S. Government Issues Urgent Warning on BlackMatter Ransomware

Related: Ransomware Group Demands Millions From U.S. Farmer Cooperative

Related: Get Ready for PYSA Ransomware Attacks Against Linux Systems

view counter