Law enforcement agencies in the United States have issued a joint advisory about BlackMatter ransomware which includes details of the tactics, techniques, and procedures (TTPs) used by the ransomware gang to help organizations improve their defenses, and indicators of compromise and Snort rules that can be used to identify and block attacks in progress.
BlackMatter ransomware appeared in July 2021. The appearance of the new ransomware operation shortly after the DarkSide ransomware operation shut down after the attack on Colonial Pipeline along with several similarities between the two operations have led many security experts to the conclusion that BlackMatter is a rebranding of the DarkSide ransomware operation.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) obtained and analyzed a sample of the ransomware in a sandbox environment and gained insights into how the group operates, details of which are provided in the advisory.
According to the advisory, the BlackMatter ransomware operation typically uses previously compromised credentials in its attacks and leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD). All hosts on the network are discovered and ransomware is used to encrypt files on hosts and shared drives as they are discovered. A separate ransomware variant has been developed to attack Linux-based systems which is capable of encrypting VMware ESXi virtual servers. While it is common for ransomware to encrypt backups as well as files, BlackMatter simply wipes or reformats backups and appliances.
The BlackMatter attacks so far have seen ransom demands issued of between $80,000 and $15,000,000 in Bitcoin and Monero, with the gang known to target critical infrastructure entities. Those attacks have the potential to cause disruption to critical infrastructure services.
Victims include a feed and grain cooperative in Iowa and a farm supply and grain marketing cooperative in Minnesota and the group has also attacked tech firms, including Olympus. Targets are usually organizations with annual revenues of at least $100 million, with the gang having previously advertised for access to the networks of such companies; however, the gang appears not to target certain industry sectors, including healthcare, non-profits, government agencies, and the defense industry.
Since compromised credentials are commonly used to gain access to networks, many of the suggested mitigations involve authentication measures, including setting strong passwords for all accounts that are resistant to brute force tactics and implementing multi-factor authentication on accounts to block attempts to use compromised passwords.
The gang may also use exploits for known vulnerabilities, so it is important for software updates and patches to be applied promptly. Other mitigations include the use of network segmentation and traversal monitoring to limit the ability of the gang to move laterally within networks, using time-based access for accounts with admin privileges, disabling command-line and scripting activities and permissions, and maintaining offline backups. Additional mitigations have been made available that should be implemented by critical infrastructure organizations.
The agencies have also created Snort signatures that can be used to detect the remote encryption process when it occurs, allowing steps to be rapidly taken to block attacks in progress.