Analytics Story: BlackMatter Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.
Why it matters
BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 11 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log System 7036 | Windows | xmlwineventlog |
XmlWinEventLog:System |
References
- https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
- https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/
- https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/
Source: GitHub | Version: 1