Security Experts:

Connect with us

Hi, what are you looking for?



BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool

The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.

The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.

Dubbed Exmatter, the custom tool allows BlackMatter ransomware-as-a-service (RaaS) operators to easily target data of value from the compromised systems, which suggests they are looking to make their attacks faster.

Exmatter has been designed to grab specific file types from selected directories and to upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems.

Compiled as a .NET executable, the tool attempts to hide its window if specific command line arguments are found. It then proceeds to collect all drive names and file paths on the system, excluding specific directories, files with specific attributes and files of less than 1,024 bytes in size.

The attackers have been working on refining Exmatter, with multiple variants of the tool observed to date, but with only minor differences between them, Symantec said in a Monday report.

Since July 2021, BlackMatter has been used in attacks on multiple organizations worldwide, including critical infrastructure entities in the United States.

BlackMatter has been linked to the Coreid cybercrime group, which also operated the Darkside ransomware. Over the past 12 months, the group has been engaged in a variety of high-profile attacks, such as the May 2021 assault on Colonial Pipeline.

“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand. Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group,” Symantec concludes.

Related: U.S. Government Issues Urgent Warning on BlackMatter Ransomware

Related: Ransomware Group Demands Millions From U.S. Farmer Cooperative

Related: Get Ready for PYSA Ransomware Attacks Against Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.