Analytics Story: BlackMatter Ransomware

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.

Why it matters

BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Anomaly
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials TTP
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery TTP
Change To Safe Mode With Network Config Inhibit System Recovery TTP
Known Services Killed by Ransomware Inhibit System Recovery TTP
Modification Of Wallpaper Defacement TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References


Source: GitHub | Version: 1