BlackMatter Ransomware Recovery

Has BlackMatter ransomware infected your system? Don’t panic. This page will show you how to identify BlackMatter ransomware and how to remove it. You can also talk to our emergency ransomware rapid response team any time, 24/7, for a free consultation. Call us now to assess the damage and learn more about your options.

BeforeCrypt is a team of experienced cybersecurity professionals. Our team of highly trained technicians have helped hundreds of clients worldwide recover from ransomware attacks as quickly and safely as possible with a streamlined ransomware remediation flow.

Or read on to learn more about BlackMatter ransomware decryption.

How to tell if BlackMatter Ransomware has infected your system

The most common way BlackMatter ransomware victims learn that they’ve been infected is through a ransom note that replaces their desktop wallpaper. Your wallpaper may be replaced with a black background with a note telling you to follow the instructions in a .txt file to get your files back.


BlackMatter Ransomware was first observed in July 2020 and claims to combine features from other dangerous ransomware strains, including DarkSide, REvil, and Lockbit 2.0. BlackMatter encrypts files and then replaces the file extensions with a random string of numbers and letters, like “.8req7mPx4”. BlackMatter uses SHA-256 encryption, which is effectively impossible to crack.

Since BlackMatter is a relatively new variant, there are no free decryption tools currently known.

  • Identifying BlackMatter Ransomware
  • BlackMatter ransomware will place a file on your desktop that will usually include the word “README” along with a string of numbers and letters. For example, it might be called README.e34e753e.TXT.
  • The file extensions on all of your files will change to a random string of numbers and letters, like .8req7mPx4.
  • The readme note will direct you to download a dark web internet browser and access a TOR web service to communicate with the hackers.
  • An early warning sign is your CPU running at a high utilization rate, even though you’re not doing any computation-heavy tasks.
  • This may mean that you notice simple tasks taking longer than usual, or mouse movements might seem sluggish.
  • If your hard drive is writing at a high rate even though you are not downloading anything, this is another sign that ransomware may be encrypting your files.
  • Your antivirus software may be deactivated or behaving strangely.

What do I do if my data is encrypted by BlackMatter ransomware?

  • If you suspect ransomware has infected your system, immediately shut down your computer normally. Check our Ransomware Response Guide for detailed instructions.
  • We do not advise talking directly with the attackers. In our experience, ransom outcomes are usually significantly better when professional negotiators are involved.
  • Report the hack to the relevant authorities from your local or national police. Check our directory for instructions on how to contact the office responsible for ransomware in your country. There may also be data leak reporting requirements.
  • Try to determine how the infection occurred so you can patch the vulnerability before restoring your system.
  • If this sounds like a lot of stress, contact us and get help now.

BeforeCrypt is a licensed and registered cyber security firm specializing in ransomware incident response. We’ve handled hundreds of ransomware cases, and we know the best ways to safely and quickly get you back to normal.

We understand this can be stressful. Our emergency response team is ready to begin the recovery process immediately.

Watch out for unlicensed companies promising free decryption tools. We’ve seen a number of fake decryptors that criminals try to push on stressed and vulnerable ransomware victims. Stressful situations can easily cloud a person’s judgment, which is why it’s best to work with experienced ransomware experts.

BeforeCrypt is Europe’s leading ransomware recovery firm. We can help you get back up and running – quickly and safely.

Stay calm and contact us NOW for a FREE consultation!


BlackMatter is mainly focused on large corporations. This is apparent by the fact that they offer employees of large companies sums of money for helping them infect corporate networks.

Since BlackMatter is still a relatively new variant, there’s not a lot of data on the ransom amounts yet, but so far averages are generally above $100,000 USD though in some cases they reach into the millions.

Ransoms are payable in Bitcoin. It’s important to note that quick-buy methods of purchasing Bitcoin can come with heavy fees. With large ransoms, it’s also possible that buying large amounts of Bitcoin can push up purchase prices on exchanges, making it more expensive.

BlackMatter downtime can vary depending on a number of factors. On average, downtime resulting from BlackMatter ransomware attacks is average.

Downtime is usually the most expensive part of an attack. Discretion can also be important, as in many industries a ransomware attack can also damage reputation. Getting back online quickly can help to avoid an attack being publicized.

So far, BlackMatter has proven to be a highly professional gang that consistently provides reliable decryption tools. However, as the BlackMatter network expands, this may not always be the case.

We maintain detailed case files to keep track of all active ransomware gangs so that we can respond appropriately to each threat.

Most BlackMatter attacks utilize phishing as a primary attack vector.

NameBlackMatter / BlackMatter Ransomware
Danger LevelVery High. Automatic data leak and privilege escalation capabilities.
Release date2021
Affected SystemsWindows
File ExtensionsRandom string of numbers and letters
Ransom NoteThe word README with a random string of text like README.e34e753e.TXT
Contact EmailVia a TOR dark web site
Known ScammersNone


BlackMatter Ransomware Note #1: .txt Notice

A typical BlackMatter ransomware note.

* +
() .-.,='”‘=. – o –
‘=/_ \ |
* | ‘=._ |
\ `=./`, ‘
. ‘=.__.=’ `=’ *
+ Matter +
O * ‘ .

>>> What happens?
Your network is encrypted, and currently not operational.
We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data.

>>> What data stolen?
From your network was stolen xxx GB of data.
If you do not contact us we will publish all your data in our blog and will send it to the biggest mass media.
Blog post link: http://blackmax7su6mbwtcyo3xwtpfxpm356jjqrs34y4crcytpw7mifuedyd.onion/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

>>> What guarantees?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals.
We always keep our promises.

>> How to contact with us?
1. Download and install TOR Browser (
2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/xxxxxxxxxxxxxxxxxxxx

>> Warning! Recovery recommendations.
We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.

Need help with BlackMatter ransomware removal and decryption? Contact us now to start the recovery process immediately.

Ransomware Recovery Data