BlackMatter Ransomware Recovery

Has BlackMatter ransomware infected your system? Don’t panic. This page will show you how to identify BlackMatter ransomware and how to remove it. You can also talk to our emergency ransomware rapid response team any time, 24/7, for a free consultation. Call us now to assess the damage and learn more about your options.

BeforeCrypt is a team of experienced cybersecurity professionals. Our team of highly trained technicians have helped hundreds of clients worldwide recover from ransomware attacks as quickly and safely as possible with a streamlined ransomware remediation flow.

Or read on to learn more about BlackMatter ransomware decryption.

How to tell if BlackMatter Ransomware has infected your system

The most common way BlackMatter ransomware victims learn that they’ve been infected is through a ransom note that replaces their desktop wallpaper. Your wallpaper may be replaced with a black background with a note telling you to follow the instructions in a .txt file to get your files back.


BlackMatter Ransomware was first observed in July 2020 and claims to combine features from other dangerous ransomware strains, including DarkSide, REvil, and Lockbit 2.0. BlackMatter encrypts files and then replaces the file extensions with a random string of numbers and letters, like “.8req7mPx4”. BlackMatter uses SHA-256 encryption, which is effectively impossible to crack.

Since BlackMatter is a relatively new variant, there are no free decryption tools currently known.

  • Identifying BlackMatter Ransomware
  • BlackMatter ransomware will place a file on your desktop that will usually include the word “README” along with a string of numbers and letters. For example, it might be called README.e34e753e.TXT.
  • The file extensions on all of your files will change to a random string of numbers and letters, like .8req7mPx4.
  • The readme note will direct you to download a dark web internet browser and access a TOR web service to communicate with the hackers.
  • An early warning sign is your CPU running at a high utilization rate, even though you’re not doing any computation-heavy tasks.
  • This may mean that you notice simple tasks taking longer than usual, or mouse movements might seem sluggish.
  • If your hard drive is writing at a high rate even though you are not downloading anything, this is another sign that ransomware may be encrypting your files.
  • Your antivirus software may be deactivated or behaving strangely.

What do I do if my data is encrypted by BlackMatter ransomware?

  • If you suspect ransomware has infected your system, immediately shut down your computer normally. Check our Ransomware Response Guide for detailed instructions.
  • We do not advise talking directly with the attackers. In our experience, ransom outcomes are usually significantly better when professional negotiators are involved.
  • Report the hack to the relevant authorities from your local or national police. Check our directory for instructions on how to contact the office responsible for ransomware in your country. There may also be data leak reporting requirements.
  • Try to determine how the infection occurred so you can patch the vulnerability before restoring your system.
  • If this sounds like a lot of stress, contact us and get help now.

BeforeCrypt is a licensed and registered cyber security firm specializing in ransomware incident response. We’ve handled hundreds of ransomware cases, and we know the best ways to safely and quickly get you back to normal.

We understand this can be stressful. Our emergency response team is ready to begin the recovery process immediately.

Watch out for unlicensed companies promising free decryption tools. We’ve seen a number of fake decryptors that criminals try to push on stressed and vulnerable ransomware victims. Stressful situations can easily cloud a person’s judgment, which is why it’s best to work with experienced ransomware experts.

BeforeCrypt is Europe’s leading ransomware recovery firm. We can help you get back up and running – quickly and safely.

Stay calm and contact us NOW for a FREE consultation!


BlackMatter is mainly focused on large corporations. This is apparent by the fact that they offer employees of large companies sums of money for helping them infect corporate networks.

Since BlackMatter is still a relatively new variant, there’s not a lot of data on the ransom amounts yet, but so far averages are generally above $100,000 USD though in some cases they reach into the millions.

Ransoms are payable in Bitcoin. It’s important to note that quick-buy methods of purchasing Bitcoin can come with heavy fees. With large ransoms, it’s also possible that buying large amounts of Bitcoin can push up purchase prices on exchanges, making it more expensive.

BlackMatter downtime can vary depending on a number of factors. On average, downtime resulting from BlackMatter ransomware attacks is average.

Downtime is usually the most expensive part of an attack. Discretion can also be important, as in many industries a ransomware attack can also damage reputation. Getting back online quickly can help to avoid an attack being publicized.

So far, BlackMatter has proven to be a highly professional gang that consistently provides reliable decryption tools. However, as the BlackMatter network expands, this may not always be the case.

We maintain detailed case files to keep track of all active ransomware gangs so that we can respond appropriately to each threat.

Most BlackMatter attacks utilize phishing as a primary attack vector.

NameBlackMatter / BlackMatter Ransomware
Danger LevelVery High. Automatic data leak and privilege escalation capabilities.
Release date2021
Affected SystemsWindows
File ExtensionsRandom string of numbers and letters
Ransom NoteThe word README with a random string of text like README.e34e753e.TXT
Contact EmailVia a TOR dark web site
Known ScammersNone


BlackMatter Ransomware Note #1: .txt Notice

A typical BlackMatter ransomware note.

* +
() .-.,='”‘=. – o –
‘=/_ \ |
* | ‘=._ |
\ `=./`, ‘
. ‘=.__.=’ `=’ *
+ Matter +
O * ‘ .

>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.

>>> What data stolen?
From your network was stolen xxx GB of data.
If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media.
Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.

>> How to contact with us?
1. Download and install TOR Browser (
2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/xxxxxxxxxxxxxxxxxxxx

>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.


The only way to know precisely how much ransomware response will cost is to contact us for a free consultation.

Ransomware response cost varies according to the type of attack, how much data is affected, the number of computers infected, and your local environment (computer performance, servers, operating systems). The response includes removal of the ransomware, negotiations with attackers and transferring payment if necessary, restoring data, patching the vulnerability that led to the attack, and preparing all documentation for legal compliance and insurance claims. The course of action our clients choose also affects the overall cost. 

The minimum cost for small companies generally starts around several thousand euros, including the cost of the ransom. However, if at all possible, we strongly recommend avoiding paying the attackers. Paying the attackers encourages them to harm more people. However, if it is not economically feasible, we handle fully legally compliant payments to attackers. The overall expense depends a lot on the ransom amount demanded, and how successful negotiations are. We maintain a database on ransomware gangs to negotiate more effectively. In some cases, negotiations can result in a significant reduction in the ransom payment.

We have a greater than 98% success rate.

In the case of most of our clients who have cyber insurance, their coverage pays the cost of our services, as well as the ransom, if necessary. 



  1. Professional ransomware response can significantly decrease downtime. We deal with hundreds of cases every year. Through our years of experience, we have developed a streamlined process that brings our clients back online as fast as possible. In the event that a ransom has to be paid, purchasing the necessary cryptocurrency can take days. The process of resolving a ransomware attack without prior experience can take many hours of research. Most of our cases are completely resolved 24-72 hours after we begin the recovery process.

  2. Avoid dealing with criminals and ensure legal compliance. Most companies don’t feel comfortable dealing with cyber-criminals. It can add another layer of stress in emergency. We maintain files on different groups of hackers in order to maximize security and effectiveness of negotiations. We also ensure that all communications and transfers comply with applicable laws and regulations to protect our clients against potential legal problems. 

  3. Cryptocurrency transfers. It is always better to avoid giving into the attacker’s demands. If backups and normal recovery methods fail, however, there may be no other choice. Most ransomware attackers demand payment in Bitcoin. We guide you through the whole process of creating a crypto currency wallet and buying the crypto currency with you. Therefore we have different cooperation partner in order to prepare your wallet and do the transaction as quick and easy as possible for you. 

  4. Ensure data integrity and security. As specialists in the field of ransomware incident response, we are always refining industry best practices for data recovery. We have robust, standardized procedures for backing up encrypted data, restoring data, and removing viruses to ensure that there is no data loss or damage.

  5. Easy Insurance Reporting: All of our clients receive a detailed incident report with all information required by cyber-insurance and for law enforcement purposes. Thankfully, cyber-insurance often covers the cost of cyber-extortion as well as professional ransomware response services. Completing all paperwork correctly from the beginning can speed up the process of filing a claim and recovering lost funds.
  1. Backup, Backup, Backup! In most cases, a fresh and secure backup of data can prevent ransomware attack from succeeding. For this reason, many attackers put in a lot of effort to find and encrypt backups. The best backup will be air-gapped, meaning physically disconnected from your main network. It is also important to have a regular backup schedule with robust security procedures. 

  2. Install a Next-Gen Antivirus. Next generation anti-virus software combines a classic signature-based antivirus with powerful exploit protection, ransomware protection and endpoint detection and response (EDR). Mcafee, Fireeye, and Sentinel One are all examples of antivirus software with these features. 

  3. Install a Next-Gen Firewall. A Next-Gen-Firewall is also called Unified threat management (UTM) firewall. It adds a layer of security at every entry and exit point of your company data communication. It combines classic network security with intrusion detection, intrusion prevention, gateway antivirus, email filtering and many other features. 

If you can afford it, having staff or hiring a dedicated service to monitor network traffic can also help to detect unusual activity and prevent ransomware attacks. Ransomware attackers usually do a lot of surveillance on a network before attempting a hack. This “reconnaissance” phase has certain tell-tale signs. If you can catch these early, it’s possible to detect the attacker early and deny them access to the network. 

If you get hit by ransomware, a professional ransomware recovery service can help to identify and patch security gaps. 

BeforeCrypt is founded, established, licensed and registered in Germany as an GmbH business with worldwide operations. We have a full-time team of staff, contractors and cybersecurity consultants ready to work with you round the clock.

Although based in Germany, our support is available 24/7 and in 20 languages. You can use our contact form here to submit a ransomware ticket.

We are always happy to assist our clients and get them back up and running in minimal time as possible.

In emergencies, we can start with the ransomware data recovery immediately. Since our support team operates 24/7, we can reduce your downtime to a minimum by working non-stop to recover your data.

Need help with BlackMatter ransomware removal and decryption? Contact us now to start the recovery process immediately.

Ransomware Recovery Data