• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Search
Search
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Security
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Security for Chromebook
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella and Cisco Secure Access Packages
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
      • Cisco Umbrella for Government Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Your SSE journey with Cisco
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
      • Umbrella and Duo Layered Protection
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
        • – FTC Safeguards Rule Compliance 2023
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
      • Cybersecurity Webinars
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is DNS Security
      • What is a Secure Web Gateway
      • What is a Cloud Access Security Broker (CASB)
      • What is Security Service Edge (SSE)
      • What is Secure Access Service Edge (SASE)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Free Trial Quick Start Guide
      • Free Trial Help and Tips
  • Trends & Threats
    • Market Trends
      • Generative AI Cybersecurity Risks and Rewards
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Clearing search keywords
Cybersecurity Threat Spotlight

BlackMatter, LockBit, and THOR

Author avatar of Josh PyorreJosh Pyorre
Updated — February 27, 2023 • 7 minute read
View blog >

Ever wonder what happens when some of yesterday’s most crippling ransomware or RAT attacks evolve? That’s what we unpack in this month’s Cybersecurity Threat Spotlight. Our three cyberattacks wreak havoc by borrowing some of the most effective techniques and tools formerly used by DarkSide, REvil, LockBit, and the PlugX RAT.

We break down this evolution in today’s blog, and discuss the ways in which you can protect your network in an on-demand webinar.


Threat Name: BlackMatter

Threat Type: Ransomware

Attack Chain:

A graphic showing the attack chain for BlackMatter. The attack chain proceeds as follows: Phishing, Vulnerability, Exploitation/Compromise, RDP, and Stolen Credentials to Command and Control to Data Exfiltration to Data Encryption. The graphic indicates that Cisco Secure products can protect users from phishing, vulnerability, exploitation/compromise, RDP, stolen credentials, command and control, and data exfiltration.

Description: BlackMatter ransomware is both a ransomware variant and a ransomware-as-a-service, borrowing techniques and tools from DarkSide and REvil RaaS platforms and from LockBit 2.0 ransomware. One interesting change in BlackMatter from similar variants is that it will encrypt Russian systems.

First appearing in July, 2021, BlackMatter appears to be the next generation of DarkSide, REvil, and LockBit 2.0, using the best techniques from each to be more effective at achieving its goals. The name BlackMatter applies to its operators, its use as a Ransomware-as-a-Service (RaaS), and the artifacts used in infections.

The operators have a presence on TOR, where they claim transparency with victims, recovery companies, and journalists while providing a list of verticals they do not target.

Many similarities between BlackMatter, DarkSide, REvil, and LockBit 2.0 exist. These include being provided as RaaS, multi-threading, in-place file encryption, and similar ransom desktop wallpaper on victim machines. Some of the notable differences with BlackMatter include a larger encryption size of 1,024 KB and the fact that it will encrypt Russian-language systems.

The ransom notes are similar to what has been observed in DarkSide infections in regard to file size, image format, and appearance. BlackMatter uses Initial Access Brokers, individuals or groups who are willing to sell access to compromised networks while also recruiting affiliates to deliver ransomware for a portion of the ransom payments. Variants exist for Windows and Linux, affecting Windows Server 2003 and later and Windows 7 and later on x86 and x64 architectures. Affected Linux versions include VMWare ESXI, Ubuntu, Debian, and CentOS.

Initial access is via compromised remote desktop, phishing, the use of stolen credentials, or exploitation of vulnerabilities in web browsers or operating systems. When a system is infected with BlackMatter, the privilege of the current user is verified and an attempt to escalate occurs. Processes are terminated to close any running programs that might prevent encryption of files, shadow volume copies are deleted, data is exfiltrated, and the files on the system are encrypted. During encryption, files are opened, checked to determine if they were already encrypted, renamed with a new extension, and partially encrypted. Then, data to indicate the file was encrypted is added and the file is closed. Access permissions for encrypted files are changed to ‘All’. Victims who choose to pay the ransom to recover files are unable to restore the original access permissions. If unable to run due to endpoint protection, BlackMatter will reboot a Windows system in safe mode. To inhibit analysis, string information in malware artifacts are encrypted and only decrypted while running in memory.

Target Geolocations: Any
Target Data: Any
Target Businesses: Financial, Legal, Manufacturing, Professional Services, Retail, Technology1
Exploits: Web Browser or OS Vulnerabilities

MITRE ATT&CK for BlackMatter
Initial Access: Phishing, External Remote Services
Persistence: Scheduled Task/Job
Evasion: Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Process Injection: Dynamic-Link Library Injection
Collection: N/A
Exfiltration: Exfiltration Over Web Service, Transfer Data to Cloud Account, Exfiltration Over C2 Channel

IOCs

Domains:
kucukisletmeler[.]com
lentingbouw[.]nl
fluentzip[.]org
nowautomation[.]com
mojobiden[.]com
Paymenthacks[.]com

Additional Information:
BlackMatter ransomware emerges from the shadow of DarkSide
BlackMatter Ransomware Portal Tweet

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Cloud Web Security
Cisco Network Security
Cisco Secure Network Analytics
Cisco Secure Cloud Analytics
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

1 These target businesses were identified by BlackMatter operators, but this attack may target other businesses


Threat Name: LockBit

Threat Type: Ransomware

Attack Chain:

A graphic showing the attack chain for LockBit attacks. The attack chain is as follows: Phishing to Command and Control to RDP to Data Exfiltration to Data Encryption. The graphic indicates that Cisco Umbrella protects users from phishing, command and control, and data exfiltration.

Description: LockBit ransomware was first seen in 2019. A second version, called LockBit 2.0, appeared in July, 2021 and operates as ransomware-as-a-service (RaaS). It shares features with Ryuk and Egregor ransomware families, such as Wake-on-LAN and Print Bombing (sending the ransom note to connected printers). LockBit operators use double-extortion methods and attempt to recruit affiliates from within the targeted organizations. Automatic encryption on victim systems occurs across Windows domains by abusing Microsoft Entra ID policies. LockBit uses multithreading for encryption and only partially encrypts files to increase speed.

Originally known as the .abcd virus, the first version of LockBit was able to self-replicate, performed host discovery using ARP tables, and would move laterally by exploiting SMB on Windows systems. It would spread via PowerShell and avoided encrypting Russian-language systems.

A new version of LockBit, called LockBit 2.0, began appearing in late 2019. The wallpaper that was set on victim systems would attempt to recruit internal affiliates or members of the victim organization to help further the infection and provide additional data for exfiltration in exchange for payment. LockBit 2.0 also attempted to recruit outside affiliates by advertising faster encryption speed than the first version of LockBit as well as other Ransomware variants. Delivery is typically via phishing, where a dropper is installed. C2 communication begins shortly after and additional tools are downloaded. Data exfiltration then occurs, followed by data encryption.

Once LockBit is installed on a system, Cobalt Strike and remote access tools are also installed. Some of these tools are legitimate, which helps to avoid detection. Data is then exfiltrated for additional ransom if payment is not made. LockBit 2.0 samples employ anti-analysis techniques similar to BlackMatter, where strings are encrypted until runtime. Shadow volume copies are deleted on victim systems prior to encryption. When encrypting files, the extension is changed to .lockbit and a custom icon is set to display for that file type. It then looks for connected drives and network volumes, creates a ransom note in all directories, encrypts the files, and changes the desktop background to a ransom message. One of the final steps is to print the ransom note to any connected printers.

Target Geolocations: Asia, North America, South America, Europe
Target Data: Any
Target Businesses: Any
Exploits: N/A

MITRE ATT&CK for LockBit
Initial Access: Unconfirmed
Persistence: Registry Run Keys / Startup Folder
Evasion: Virtualization/Sandbox Evasion
Collection: Data From Local System
Exfiltration: Exfiltration Over Command and Control Channel

IOCs

Domains:
None

IPs:
139.60.160[.]200
168.100.11[.]72
174.138.62[.]35
185.215.113[.]39
193.162.143[.]218
193.38.235[.]234
45.227.255[.]190
88.80.147[.]102
93.190.143[.]101

Additional Information:
LockBit ransomware now infects Windows domains using group policies
LockBit Resurfaces With version 2.0 Ransomware Detections in Chile, Italy, Taiwan, UK

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Cloud Web Security
Cisco Network Security
Cisco Secure Network Analytics
Cisco Secure Cloud Analytics
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance


Threat Name: THOR

Threat Type: RAT

Attack Chain:

A graphic illustrating the attack chain for THOR, which is as follows: Phishing to Malicious Document to Command and Control. The graphic indicates that Cisco Secure products protect users from phishing and command and control.

Description: THOR is a variant of the PlugX Remote Access Tool (RAT). PlugX RATs have been in use since 2008 and have the ability to upload, download, and modify files, perform keystroke logging, webcam control, and provide access to a remote shell. THOR is unique from previous PlugX variants in that it changed the word ‘PLUG’ to ‘THOR’ in its source code. It is further differentiated from past PlugX RATs by its use of modified payload delivery mechanisms and the use of trusted binaries on a victim system to accomplish its goals. It first appeared in March, 2021 as part of an attack on Exchange Servers via CVE-2021-26855 and CVE-2021-27065.

THOR Spotlight: THOR is a new variant of the PlugX malware, which has been involved in targeted attacks and intrusions since 2008. PlugX is often installed as a second-stage implant following the initial infection. It’s built for modular use, allowing the use of plug-ins to achieve specific objectives. Delivery is via malicious documents in phishing emails and C2 communication occurs after infection. Additional components may be downloaded after communication begins.

In March of 2019, two zero-day exploits (CVE-2021-26855 and CVE-2021-27065) were discovered affecting Microsoft Exchange Servers. These exploits were used to upload a webshell to a publicly accessible web directory, allowing code execution, the ability to write malicious files to any path, run commands, escalate privilege, and allow remote access. In the attacks, a variant of PlugX was being used to install a remote access tool. This variant had a modification in its source code, changing a well-known variable name from PLUG to THOR.

When run, a legitimate Windows binary is used to download a dropper, which is designed to remain undetected and can only be run with a specific loader. All variants of PlugX require the use of DLL side-loading to run. The downloaded dropper has its first 1000 bytes filled with random padding until it has a NULL byte, signaling the beginning of the file. When loaded into memory, the code unpacks and communication with a command and control (C2) server begins.

When running, THOR behaves the same as previous PlugX variants, decrypting hard-coded and embedded configuration settings. Communication with the C2 server is over ports 80, 443, 53, and 8000 using UDP and TCP. While the first handshake with the C2 looks like HTTP data, it is made of random bytes with variable lengths. If the return value from the C2 is the correct length, actual HTTP communication between the victim and C2 starts. Various values in the C2 traffic are hard-coded, such as the user-agent and a known PlugX constant. When installation is complete, a Windows system service named HP Digital Image is created and system events are logged to a hidden file labeled NTUSER.dat. The MZ and PE headers of the running module are removed and replaced with ROHT, which is THOR written backwards.

The primary goals of THOR and other PlugX variants are to monitor, make changes, and interact with the system, as well as to install additional malware.

Target Geolocations: Myanmar, Taiwan, Vietnam, Indonesia, Mongolia, Tibet, Xinjiang
Target Data: Any
Target Businesses: Any
Exploits: CVE-2021-26855, CVE-2021-27065

MITRE ATT&CK for THOR
Initial Access: Spearphishing Attachments, Malspam
Persistence: Server Software Component
Evasion: Deobfuscate/Decode Files or Information, Hide Artifacts
Collection: Audio Capture, Clipboard Data, Input Capture, Screen Capture, Video Capture
Exfiltration: Exfiltration Over Command and Control Channel

IOCs

Domains:
apple-net[.]com
destroy2013[.]com
emicrosoftinterview[.]com
fitehook[.]com
flashplayerup[.]com
indonesiaport[.]info
manager2013[.]com
rainydaysweb[.]com
upload.ukbbcnews[.]com

IPs:
185.239.226[.]65
45.251.240[.]55
58.158.177[.]102

Additional Information
THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group
PKPLUG: Chinese Cyber Espionage Group Attacking Southeast Asia
Take a Deep Dive into PlugX Malware

Which Cisco Products Can Block:
Cisco Secure Endpoint
Cisco Cloud Web Security
Cisco Network Security
Cisco Secure Network Analytics
Cisco Secure Cloud Analytics
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

See security in action

Let one of our experts show you how Cisco Umbrella can simplify your security and protect your users everywhere.

Schedule a demo

Additional Resources

  • On-demand Webinar: Threat Spotlight Series
  • Schedule a personalized demo

Suggested Blogs

  • September’s Threats: MuddyWater, Manjusaka, and SocGholish September 20, 2022 5 minute read
  • CrimsonRat, AvosLocker & MaliBot July 28, 2022 5 minute read
  • BlackCat Ransomware, ZingoStealer & BumbleBee Loader May 24, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn
Subscribe to the Cisco Umbrella blog Subscribe

Follow Us

Facebook X LinkedIn Youtube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2025 Cisco Umbrella