zephyr_p - stock.adobe.com
US intelligence agencies issue advisory on BlackMatter gang
Joint advisory on ransomware gang warns about potential of further attacks on critical infrastructure providers
The BlackMatter ransomware gang has targeted US-based critical infrastructure entities, including two food and agriculture sector organisations, according to a joint cyber security advisory issued by US intelligence agencies.
The advisory, published on 18 October 2021 by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA), provides an overview of the threat posed by BlackMatter and technical details of its attacks.
“First seen in July 2021, cyber actors leveraged BlackMatter with embedded, previously compromised credentials that enabled them to access the network and remotely encrypt hosts and shared drives,” said an NSA press release.
“When the actors found backup data stores and appliances on the network, not stored off-site, they wiped or reformatted the data. BlackMatter is a ransomware-as-a-service (RaaS) tool, which means the developers are able to profit from cyber criminal affiliates (ie BlackMatter actors) who deploy it.”
The advisory itself said: “BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous US-based organisations and have demanded ransom payments ranging from $80,000 to $15,000,000 in bitcoin and monero.”
It added that the BlackMatter ransomware variant uses “embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively.”
It also noted that BlackMatter uses a separate encryption binary for Linux-based machines and routinely encrypts ESXi virtual machines: “Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.”
Although the advisory lends credence to the view that BlackMatter is a rebrand of the now-defunct DarkSide ransomware – credited for the attack on Colonial Pipeline – the group itself has confirmed that, despite taking inspiration from the DarkSide operation and having worked with some of its affiliates in the past, it is its own distinct project.
Although US intelligence agencies did not confirm which two critical infrastructure organisations had been attacked, BlackMatter targeted US-based grain co-op New Cooperative in September 2021.
It claimed to have stolen financial and human resources data, research and development information, and the source code for New Cooperative’s proprietary SoilMap software – and demanded a $5.9m ransom.
According to Rob Joyce, director of cyber security at the NSA, the threat of ransomware has gone beyond the specific impacts to a victim company, and has risen to a national security issue. “NSA’s technical skills and threat intelligence will continue to support our partners across government and industry to degrade adversary footholds into networks where they launch ransomware,” he said.
Read more about ransomware gangs
- The Babuk ransomware operation backed away from encrypting its victims’ files, and technical difficulties may be to blame, reports McAfee.
- Palo Alto’s Unit 42 shares intel on the emergent Prometheus ransomware gang, with apparent links to the Thanos crew.
- The process of negotiating a ransomware payment is delicate, hence cyber criminal organisations are prepared to offer good terms to those with the right skillsets.
“Employing the mitigations in the joint advisory with CISA and the FBI will protect networks and mitigate the risk against BlackMatter and other ransomware attacks.”
Earlier this month, US senator and former Democrat presidential candidate Elizabeth Warren, alongside North Carolina congresswomen Deborah Ross, introduced the bicameral Ransom Disclosure Act.
If enacted, the bill would require organisations that decide to pay a ransom – not private individuals – to disclose information about ransom payments within, and no later than, 48 hours after payment is made. This would include how much they paid, what currency was used, and any known information about their attackers.
Bryan Vorndran, assistant director of the FBI’s Cyber Division, said too many ransomware incidents go unreported, and urged the organisations affected to contact their local FBI field office.
“By reporting a cyber incident, targeted entities are enhancing our ability to respond and investigate with the goal of disrupting cyber criminal operations,” he said. “We will continue to leverage our unique authorities and capabilities to protect the American people from this threat. However, we cannot accomplish this alone.
“We remain committed to providing the public and our private sector partners with information that will bolster their ability to decrease vulnerabilities and increase awareness of potential exploits.”
The advisory also made a number of mitigation best practice recommendations for organisations to follow, such as: implementing and enforcing backup procedures; using strong, unique passwords; deploying multifactor authentication; and implementing network segmentation and traversal monitoring.
It also recommended limiting access to resources over the network by restricting privileges to only necessary service or user accounts, and using a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines.
For critical infrastructure providers specifically, additional mitigation should come in the form of: disabling the storage of clear text passwords in LSASS memory; limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication; implementing credential guards for Windows 10 and Server 2016; and minimising the AD attack surface, it said.