Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

BlackMatter Ransomware Operators Develop Custom Data Exfiltration Tool

The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.

The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.

Dubbed Exmatter, the custom tool allows BlackMatter ransomware-as-a-service (RaaS) operators to easily target data of value from the compromised systems, which suggests they are looking to make their attacks faster.

Exmatter has been designed to grab specific file types from selected directories and to upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems.

Compiled as a .NET executable, the tool attempts to hide its window if specific command line arguments are found. It then proceeds to collect all drive names and file paths on the system, excluding specific directories, files with specific attributes and files of less than 1,024 bytes in size.

The attackers have been working on refining Exmatter, with multiple variants of the tool observed to date, but with only minor differences between them, Symantec said in a Monday report.

Since July 2021, BlackMatter has been used in attacks on multiple organizations worldwide, including critical infrastructure entities in the United States.

BlackMatter has been linked to the Coreid cybercrime group, which also operated the Darkside ransomware. Over the past 12 months, the group has been engaged in a variety of high-profile attacks, such as the May 2021 assault on Colonial Pipeline.

“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand. Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group,” Symantec concludes.

Advertisement. Scroll to continue reading.

Related: U.S. Government Issues Urgent Warning on BlackMatter Ransomware

Related: Ransomware Group Demands Millions From U.S. Farmer Cooperative

Related: Get Ready for PYSA Ransomware Attacks Against Linux Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cloud and cybersecurity MSP Ekco has appointed Ben Savage as UK CEO.

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.