Try in Splunk Security Cloud


Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-09-06
  • Author: Teoderick Contreras, Splunk
  • ID: 0da348a3-78a0-412e-ab27-2de9dd7f9fee


BlackMatter ransomware campaigns targeting healthcare and other vertical sectors, involve the use of ransomware payloads along with exfiltration of data per HHS bulletin. Malicious actors demand payment for ransome of data and threaten deletion and exposure of exfiltrated data.


Name Technique Type
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Anomaly
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials TTP
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery TTP
Change To Safe Mode With Network Config Inhibit System Recovery TTP
Known Services Killed by Ransomware Inhibit System Recovery TTP
Modification Of Wallpaper Defacement TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery Anomaly


source | version: 1