HC3 TLP White Threat Briefing – Demystifying BlackMatter September 2, 2021


  • Executive Summary
  • What the Group Claims To Be
  • What We Know About the Group
  • Technical Details
  • Mitigations
  • Outlook


  • First Surfaced: July 2021
  • Suspected Predecessor(s): DarkSide, REvil RaaS
  • Malware Capabilities: Ransomware written in C that encrypts files using a combination of Salsa20 and 1024-bit RSA
  • Targeted Systems: Windows and Linux servers


  • Origin: Likely Eastern Europe, Russian-speaking
  • Forum Presence: Exploit and XSS, BlackMatter blog
  • Targeted Countries: United States, India, Brazil, Chile, Thailand, and growing
  • Targeted Industries: Legal, Real Estate, IT Services, Food & Beverage, Architecture, Education, Finance
  • Status: Actively seeking Initial Access Brokers (IABs) and affiliates for ransomware deployment
  • Classification: Highly-sophisticated, financiallymotivated cybercriminal operation
  • Threat to HPH Sector: Elevated Risk

View the entire report below. 

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

Senior Advisor for Cybersecurity and Risk, AHA


(O) +1 202 626 2272

(M) +1 202 640 9159

Related Resources

Advancing Health Podcast
America’s hospitals and health systems are at risks of attacks that threaten the bio-economy. How do these threats affect patients and citizens and what we can…
Fact Sheets
It is imperative that Congress invest in America’s hospitals and health systems to ensure that the nation’s health care needs can be met today and into the…
The American Hospital Association (AHA) would like to share hospital and health system priorities that would benefit patients and communities around the…
Advancing Health Podcast
On this AHA Advancing Health podcast, John Riggi, AHA senior advisor for cybersecurity and risk, speaks with his former FBI colleague Mike Orlando, acting…
Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability — known as PrintNightmare (CVE-2021-34527) — in the…
Advancing Health Podcast
Hospitals and health systems have frequently been the target of high-impact ransomware attacks. In this podcast, John Riggi, AHA senior advisor for…