forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
blackmatter_ransomware.yml
25 lines (25 loc) · 1.19 KB
/
blackmatter_ransomware.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: BlackMatter Ransomware
id: 0da348a3-78a0-412e-ab27-2de9dd7f9fee
version: 1
date: '2021-09-06'
author: Teoderick Contreras, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the BlackMatter ransomware, including looking for file writes
associated with BlackMatter, force safe mode boot, autadminlogon account registry
modification and more.
narrative: BlackMatter ransomware campaigns targeting healthcare and other vertical
sectors, involve the use of ransomware payloads along with exfiltration of data
per HHS bulletin. Malicious actors demand payment for ransome of data and threaten
deletion and exposure of exfiltrated data.
references:
- https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
- https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/
- https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection