The cybercriminals operating the BlackMatter ransomware have started using a custom data exfiltration tool in their attacks, Symantec reports.
Dubbed Exmatter, the custom tool allows BlackMatter ransomware-as-a-service (RaaS) operators to easily target data of value from the compromised systems, which suggests they are looking to make their attacks faster.
Exmatter has been designed to grab specific file types from selected directories and to upload them to attacker-controlled servers before the ransomware itself is executed on the compromised systems.
Compiled as a .NET executable, the tool attempts to hide its window if specific command line arguments are found. It then proceeds to collect all drive names and file paths on the system, excluding specific directories, files with specific attributes and files of less than 1,024 bytes in size.
The attackers have been working on refining Exmatter, with multiple variants of the tool observed to date, but with only minor differences between them, Symantec said in a Monday report.
Since July 2021, BlackMatter has been used in attacks on multiple organizations worldwide, including critical infrastructure entities in the United States.
BlackMatter has been linked to the Coreid cybercrime group, which also operated the Darkside ransomware. Over the past 12 months, the group has been engaged in a variety of high-profile attacks, such as the May 2021 assault on Colonial Pipeline.
“Like most ransomware actors, attacks linked to Coreid steal victims’ data and the group then threatens to publish it to further pressure victims into paying the ransom demand. Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group,” Symantec concludes.
Related: U.S. Government Issues Urgent Warning on BlackMatter Ransomware
Related: Ransomware Group Demands Millions From U.S. Farmer Cooperative
Related: Get Ready for PYSA Ransomware Attacks Against Linux Systems

More from Ionut Arghire
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
- New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
- CISA Seeks Public Opinion on Cloud Application Security Guidance
Latest News
- Ferrari Says Ransomware Attack Exposed Customer Data
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Millions Stolen in Hack at Cryptocurrency ATM Manufacturer General Bytes
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
