Noberus: a successor to Darkside and BlackMatter ransomware.
N2K logoSep 22, 2022

Noberus ransomware looks to be the successor to Darkside and BlackMatter ransomware, developed by the same threat actor.

Noberus: a successor to Darkside and BlackMatter ransomware.

The Symantec Threat Hunter Team, part of Broadcom Software, this morning released a report detailing the Noberus (aka BlackCat, ALPHV) ransomware. It is believed that Noberus is a successor to the Darkside and BlackMatter ransomware families, developed by a group tracked by Symantec as Coreid. Coreid provides ransomware-as-a-service (RaaS), developing the ransomware for affiliates, who then give Coreid a cut of the profits.

Target exclusions for Noberus.

Noberus was first seen in November of 2021, coded in Rust. This is the first observed professional ransomware strain used in attacks that was coded in the cross-platform language. Due to its cross-platform coding language, Coreid says that Noberus can be used on multiple different operating systems, including Windows, EXSI, Debian, ReadyNAS, and Synology. Noberus appeared shortly after BlackMatter was retired, and Coreid said in the rules that the ransomware cannot be used to attack:

  • “The Commonwealth of Independent States or neighboring countries
  • “Organizations in or related to the healthcare sector
  • “Charitable or non-profit organizations
  • “Affiliates are also advised to avoid attacking the education and government sectors.”

Coreid also highlighted the features that make the ransomware stand out from the competition, stating that “each advert is provided with an entrance through its own unique onion domain; the affiliate program architecturally excludes all possible connections with forums; even if a full-fledged command line shell is obtained, the attacker will not be able to reveal the real IP address of the server, and encrypted negotiation chats that can only be accessed by the intended victim.” The ransomware offered two encryption algorithms: ChaCha20 and AES; along with four encryption modes: Full, Fast, DotPattern and SmartPattern. Updates to Noberus have been continuous since release, researchers report.

Exmatter is being used alongside Noberus.

An updated version of the Trojan.Exmatter data exfiltration tool was observed being used alongside Noberus in August 2022. Exmatter was designed to steal specific file types and route them to an attacker’s server prior to the deployment of ransomware. Information-stealing malware Infostealer.Eamfo has also been observed being used alongside Noberus, and is designed to steal credentials from Veeam backup software.