We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/BlackMatter.MAK!MTB
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This ransomware encrypts the data on your disk and can stop you from using your device or accessing your data. It encrypts files, renders them inaccessible, and demands payment for the decryption key.
BlackMatter is the rebranded name of the DarkSide ransomware-as-a-service (RaaS) group that has been active since July 2021. The threat group, however, has adopted attack methodologies such as payload functionality, distribution, obfuscation, and encryption techniques from DarkSide. Attackers gain access to compromised accounts and deploy the ransomware payload. BlackMatter, like many other RaaS groups, encrypt files, exfiltrate data and threaten to release it if the ransom demand is not met.
For information about ransomware, read these blog posts:
- Human-operated ransomware attacks: A preventable disaster
- Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here’s what to do
- Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
- Human-operated ransomware
There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. If you have cloud-delivered protection, your device gets the latest defenses against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
To help reduce the impact of this threat, you can:
- Immediately isolate the affected device and any additional device with BlackMatter ransomware-related alerts. If BlackMatter ransomware has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected endpoint might have been compromised. Check for the presence of other malware.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts.
- Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
