Government Agencies Warn About BlackMatter Ransomware

Another week, another government ransomware warning.

This week, federal agencies are sounding the alarm over attacks carried out recently by the BlackMatter ransomware group.

While the group isn't new - it first emerged on the scene in July, ramping up its ransom demands as high as $3 to $4 million - the advisory about the ransomware, issued by the FBI, NSA, and CISA, on Monday, is.

A ransomware-as-a-service (Raas) tool, BlackMatter allows developers to sell or lease their variants, something which lets them profit from any affiliates. Experts have hinted since some of the first BlackMatter attacks, back in July, that the group bore some resemblance to DarkSide, a group that was active from September 2020 to May this year and connected to this spring's attack against Colonial Pipeline.

The group made headlines earlier this year when it promised not to hit the following sectors:

• Hospitals
• Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
• Oil and gas industry (pipelines, oil refineries)
• Defense industry
• Non-profit companies
• Government sector

While it's only been a few months, BlackMatter has been responsible for a handful of attacks, including one against Japanese tech company Olympus, and an attack last month involving the farming cooperative NEW Cooperative in which it asked for $5.9 million dollars, a sum the group threatened to increase to $11.8 if not paid after five days. That one came a week after another attack against Crystal Valley, another farming co-op based in Minnesota.

According to CISA, the group primarily uses previously compromised credentials and from there, both the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access Active Discovery and the the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to find any hosts on the network. From there, it can encrypt them and any shared drives.

Sometimes the group isn’t in the business of encrypting, it simply destroys.

“When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data,” CISA’s advisory reads.

To reduce the risk of a BlackMatter attack, organizations should follow ransomware mitigations CISA has recommended previously, including the use of strong passwords, multi-factor authentication, patch management, and network segmentation and traversal monitoring.  One tip that government agencies have emphasized of late is the concept of time-based access and tools that can help supplement access management. If attackers were to use stolen or compromised credentials during off hours, or let's say on the weekend, that access may not be detected. For administrators with higher level admin access, organizations should consider employing a just-in-time access, CISA recommends.

CISA, the FBI, and NSA also encourage organizations to follow its ransomware response checklist, scan their backups, follow incident response best practices, and report any incidents to the appropriate parties.

Defenders looking for more information should refer to the advisory for BlackMatter TTPs - tactics, techniques, and procedures - detection signatures, and mitigations.