What is BlackMatter and how is it related to data exfiltration attacks?

BlackMatter is a ransomware operation linked to the Coreid cyber crime group, previously responsible for the Darkside ransomware. BlackMatter and its affiliates use custom data exfiltration tools, such as Exmatter, to steal sensitive files from victims before deploying ransomware. This dual approach increases pressure on victims to pay ransom by threatening to publish stolen data.

What is Exmatter and how does it operate?

Exmatter is a custom data exfiltration tool compiled as a .NET executable and used by BlackMatter and related ransomware groups. It scans infected systems for specific file types, prioritizes them by last modification time, and uploads them to a remote SFTP or WebDav server. It excludes certain directories and file types, and after exfiltration, it attempts to overwrite and delete itself to remove traces.

Which file types does Exmatter target for exfiltration?

Exmatter targets a range of file types for exfiltration, including: .doc, .docx, .xls, .xlsx, .pdf, .msg, .png, .ppt, .pptx, .sda, .sdm, .sdw, .csv, .xlsm, .zip, .json, .config, .ts, .cs, .js, .aspx, .pst. The inclusion list has evolved across variants, with some file types added or removed in newer versions.

How does Exmatter avoid detection and removal?

Exmatter attempts to hide its window if certain command line arguments are present, excludes system and temporary files, and after exfiltration, it overwrites its own executable with random data and deletes itself using PowerShell commands. This helps attackers remove traces of the tool from compromised systems.

What changes have been observed in different Exmatter variants?

Multiple Exmatter variants have been identified, each refining its capabilities. Changes include updates to the exclusion and inclusion lists, addition of new file types (.xlsm, .zip, .json, etc.), changes to SFTP and WebDav server details, and the introduction of a WebDav client as a backup exfiltration method.

How is BlackMatter connected to the Darkside ransomware group?

BlackMatter is linked to the Coreid cyber crime group, which was previously responsible for the Darkside ransomware. Coreid operates under a Ransomware-as-a-Service (RaaS) model, collaborating with affiliates to conduct attacks and share profits.

What is the significance of the May 2021 Darkside attack on Colonial Pipeline?

The May 2021 Darkside ransomware attack on Colonial Pipeline, attributed to the Coreid group, disrupted fuel supplies to the East Coast of the U.S. and highlighted the real-world impact of ransomware operations targeting critical infrastructure.

How do ransomware groups like BlackMatter use data exfiltration for extortion?

Ransomware groups such as BlackMatter exfiltrate sensitive data from victims and threaten to publish it if ransom demands are not met. This double extortion tactic increases pressure on organizations to pay, as it risks both operational disruption and data exposure.

What protocols does Exmatter use to exfiltrate data?

Exmatter primarily uses SFTP (Secure File Transfer Protocol) to upload stolen files to remote servers. In later variants, it also includes a WebDav client as a backup exfiltration method, ensuring data can be sent even if SFTP is blocked.

How does Exmatter prioritize which files to steal?

Exmatter prioritizes files for exfiltration based on their LastWriteTime, targeting recently modified files that are more likely to contain valuable or sensitive information.

What directories and files does Exmatter exclude from exfiltration?

Exmatter excludes files in system and common directories such as Windows, Program Files, ProgramData, Recovery, and others. It also skips files smaller than 1,024 bytes and those with system, temporary, or directory attributes.

How does Cymulate help organizations defend against threats like BlackMatter?

Cymulate provides continuous threat validation, attack path discovery, and automated mitigation to help organizations identify and remediate exposures that ransomware groups like BlackMatter exploit. The platform simulates real-world attacks, validates defenses, and offers actionable remediation guidance.

What are the main goals of ransomware groups using tools like Exmatter?

The main goals are to steal high-value data for extortion, disrupt operations, and maximize ransom payments by threatening to publish stolen data if demands are not met.

How does Cymulate's platform simulate real-world ransomware attacks?

Cymulate's Exposure Validation and Attack Path Discovery modules simulate real-world ransomware and data exfiltration scenarios, allowing organizations to test their defenses, identify vulnerabilities, and validate their ability to detect and respond to such attacks.

What is the Ransomware-as-a-Service (RaaS) model?

The RaaS model allows cyber crime groups like Coreid to develop ransomware tools and lease them to affiliates, who conduct attacks and share profits with the developers. This model increases the scale and frequency of ransomware campaigns.

How does Cymulate help organizations validate their defenses against data exfiltration?

Cymulate enables organizations to simulate data exfiltration attempts, test their detection and prevention controls, and receive actionable recommendations to close gaps before attackers can exploit them.

What are the risks of not addressing data exfiltration exposures?

Failing to address data exfiltration exposures can lead to sensitive data theft, regulatory penalties, reputational damage, and increased likelihood of paying ransoms due to extortion threats.

How can organizations stay updated on evolving ransomware tools like Exmatter?

Organizations can stay updated by following threat intelligence feeds, reading research from security vendors like Cymulate, and regularly validating their defenses against the latest attack techniques using platforms that update their threat libraries daily.

What is the role of file exclusion lists in data exfiltration tools?

File exclusion lists help data exfiltration tools avoid unnecessary files, reduce detection risk, and focus on valuable data. Exmatter, for example, skips system directories and files with certain attributes to streamline exfiltration and avoid alerting defenders.

What features does Cymulate offer for threat validation and exposure management?

Cymulate offers continuous threat validation, attack path discovery, automated mitigation, exposure prioritization, and a comprehensive threat simulation library. These features help organizations test, validate, and improve their defenses against modern threats, including ransomware and data exfiltration attacks.

How does Cymulate's Attack Path Discovery work?

Cymulate's Attack Path Discovery simulates an attacker moving laterally within a network after compromising a single workstation. It uncovers lateral movement gaps, privilege escalation paths, and exposed credentials or data that attackers could exploit. This helps organizations identify and remediate segmentation and access control weaknesses. Learn more .

Does Cymulate integrate with other security tools?

Yes, Cymulate integrates with a wide range of technology partners across network, cloud, endpoint, and SIEM domains. Examples include Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance, Carbon Black, Check Point CloudGuard, CrowdStrike Falcon, and more. For a full list, visit our Partnerships and Integrations page .

How frequently is Cymulate's threat simulation library updated?

Cymulate's threat simulation library is updated daily, ensuring that organizations can test their defenses against the latest attack techniques and emerging threats.

What is Cymulate's 'Threat (IoC) updates' feature?

Cymulate's 'Threat (IoC) updates' feature provides recommended Indicators of Compromise (IoCs) that can be exported and applied directly to security controls. This improves threat resilience by enabling rapid defense updates against new threats.

How does Cymulate support a threat-informed defense strategy?

Cymulate supports a threat-informed defense by continuously validating security controls against the latest threats and attack techniques, ensuring defenses are always prepared for current and emerging adversarial methods. Learn more .

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, media, transportation, and manufacturing. It helps organizations of all sizes improve their security posture and operational efficiency. Learn more .

What business impact can customers expect from Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, a 52% reduction in critical exposures, and a 30% improvement in threat prevention. These outcomes are supported by case studies such as Hertz Israel. Read the case study .

How easy is it to implement Cymulate?

Cymulate is designed for quick and easy implementation, operating in agentless mode with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, with comprehensive support and educational resources available. Contact support .

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its user-friendly and intuitive platform. Security professionals highlight its ease of deployment, actionable insights, and accessible support, making it a preferred choice for communicating risks and improving security posture. Read testimonials .

How does Cymulate address the pain points of security teams?

Cymulate addresses pain points such as overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers by providing continuous validation, exposure prioritization, automation, and actionable metrics for all stakeholders.

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. These certifications cover security, privacy, and cloud service standards, ensuring robust protection for customer data. Learn more .

How does Cymulate ensure data security and privacy?

Cymulate is hosted in secure AWS data centers, uses strong encryption (TLS 1.2+ for data in transit, AES-256 for data at rest), and follows a strict Secure Development Lifecycle (SDLC). The company has a dedicated privacy and security team, including a DPO and CISO, and complies with GDPR and international standards.

How does Cymulate compare to AttackIQ?

AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for streamlined workflows. Read more .

How does Cymulate compare to Mandiant Security Validation?

Mandiant is an original BAS platform but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and maintaining leadership in the market. Read more .

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but does not provide the depth of full exposure validation that Cymulate offers. Cymulate covers the entire kill chain and includes cloud control validation. Read more .

How does Cymulate compare to Picus Security?

Picus Security is suitable for on-premise BAS needs but lacks the complete exposure validation platform that Cymulate provides. Cymulate covers the full kill chain and includes cloud control validation. Read more .

How does Cymulate compare to SafeBreach?

SafeBreach offers breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate leads with AI-powered BAS, the largest attack library, and a full Continuous Threat Exposure Management (CTEM) solution. Read more .

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams but lacks Cymulate's focus on actionable remediation and automated mitigation. Cymulate provides a more complete exposure validation platform with daily threat updates and vendor-specific remediation guidance. Read more .

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and selected scenarios. The subscription fee is non-refundable. For a detailed quote, schedule a demo with the Cymulate team.

BlackMatter: New Data Exfiltration Tool Used in Attacks

November 3, 2021

This is the third time a custom data exfiltration tool appears to have been developed by ransomware operators, following the earlier discovery of the Ryuk Stealer tool and StealBit, which is linked to the LockBit ransomware operation. Exmatter is compiled as a .NET executable and obfuscated. When run, it checks its command line arguments for the following strings: "nownd" and "-nownd". If either is found, it attempts to hide its own window by calling the "ShowWindow" API as follows: ShowWindow(Process.GetCurrentProcess().MainWindowHandle, 0); In order to identify files for exfiltration, it will retrieve the drive names of all logical drives on the infected computer and collect all file path names, disregarding anything under the following directories: C:Documents and Settings C:PerfLogs C:Program FilesWindows Defender Advanced Threat ProtectionClassificationConfiguration C:Program FilesWindowsApps C:ProgramDataApplication Data C:ProgramDataDesktop C:ProgramDataDocuments C:ProgramDataMicrosoft C:ProgramDataPackages C:ProgramDataStart Menu C:ProgramDataTemplates C:ProgramDataWindowsHolographicDevices C:Recovery C:System Volume Information C:UsersAll Users C:UsersDefault C:UsersPublicDocuments C:Windows It will also exclude files of less than 1,024 bytes in size and files with the following attributes: FileAttributes.System FileAttributes.Temporary FileAttributes.Directory It will only exfiltrate files with the following extensions: .doc .docx .xls .xlsx .pdf .msg .png .ppt .pptx .sda .sdm .sdw .csv It attempts to prioritize files for exfiltration by using LastWriteTime. Files that match the criteria are then uploaded to a remote SFTP server using the following parameters: Host: 165.22.84[.]147 Port: 22 Exmatter also includes SOCKS5 configuration, but this is not used: Host: 10.26.16[.]181 Port: 1080 When it has finished exfiltrating data, Exmatter starts the following process to remove any trace of itself: Filename: "powershell.exe" Arguments: -WindowStyle Hidden -C $path = '[FILEPATH_OF_THE_EXECUTING_SAMPLE]';Get-Process | Where-Object {$_.Path -like $path} | Stop-Process -Force;[byte[]]$arr = new-object byte[] 65536;Set-Content -Path $path -Value $arr;Remove-Item -Path $path; This will attempt to overwrite an initial chunk of the file before deleting it. Multiple variants of Exmatter have been found, suggesting that the attackers have continued to refine the tool in order to expedite exfiltration of a sufficient volume of high value data in as short a time as possible. In a second variant, the directory "C:Program FilesWindows Defender Advanced Threat ProtectionClassificationConfiguration" has been replaced with "C:Program FilesWindows Defender Advanced Threat Protection" on the exclusion list. The file types ".xlsm", and ".zip" were added to the inclusion list. A third version of note added a WebDav client. The code structure suggests that SFTP remains the first choice protocol, with WebDav acting as a backup. The WebDav client uses the following URL: https://157.230.28[.]192/data The following file types were also added to the inclusion list: .json .config .ts .cs .js .aspx .pst In addition to this, Exmatter is configured to skip exfiltration for files with names containing any of the following strings: OneDriveMedTile locale- SmallLogo VisualElements adobe_sign Adobe Sign core_icons A fourth variant contained updated SFTP server details: Host: 159.89.128[.]13 Port: 22 The WebDav client used the following updated URL: https://159.89.128[.]13/data Finally, the list of files for inclusion was updated by removing ".png". BlackMatter is linked to the Coreid cyber crime group, which was previously responsible for the Darkside ransomware. For the past 12 months, it has been one of the most prolific targeted ransomware operators and its tools have been used in a number of ambitious attacks, most notably the May 2021 Darkside attack on Colonial Pipeline that disrupted fuel supplies to the East Coast of the U.S. Coreid operates under a RaaS model, working with affiliates to conduct ransomware attacks and then taking a share of the profits. Like most ransomware actors, attacks linked to Coreid steal victims' data and the group then threatens to publish it to further pressure victims into paying the ransom demand. Whether Exmatter is the creation of Coreid itself or one of its affiliates remains to be seen, but its development suggests that data theft and extortion continues to be a core focus of the group.

Featured Resources

View More Resources

blog

Exposure Validation: Continuous Testing Should Drive Continuous Improvement

What’s your end goal? How exactly does this security project make you more secure? Like any technology initiative, those two

Report

2026 Gartner® Market Guide for Adversarial Exposure Validation

The guide covers AEV use cases, key features, and market trends to improve threat exposure visibility and defenses.

Learn More