Skip to main content

Government Agencies Warn About BlackMatter Ransomware

by Chris Brook on Thursday October 21, 2021

Contact Us
Free Demo

CISA, the FBI, and NSA provided defenders with tips to protect networks and mitigations to prevent the spread of the ransomware.

Another week, another government ransomware warning.

This week, federal agencies are sounding the alarm over attacks carried out recently by the BlackMatter ransomware group.

While the group isn't new - it first emerged on the scene in July, ramping up its ransom demands as high as $3 to $4 million - the advisory about the ransomware, issued by the FBI, NSA, and CISA, on Monday, is.

A ransomware-as-a-service (Raas) tool, BlackMatter allows developers to sell or lease their variants, something which lets them profit from any affiliates. Experts have hinted since some of the first BlackMatter attacks, back in July, that the group bore some resemblance to DarkSide, a group that was active from September 2020 to May this year and connected to this spring's attack against Colonial Pipeline.

The group made headlines earlier this year when it promised not to hit the following sectors:

  • Hospitals
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
  • Oil and gas industry (pipelines, oil refineries)
  • Defense industry
  • Non-profit companies
  • Government sector

While it's only been a few months, BlackMatter has been responsible for a handful of attacks, including one against Japanese tech company Olympus, and an attack last month involving the farming cooperative NEW Cooperative in which it asked for $5.9 million dollars, a sum the group threatened to increase to $11.8 if not paid after five days. That one came a week after another attack against Crystal Valley, another farming co-op based in Minnesota.

According to CISA, the group primarily uses previously compromised credentials and from there, both the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access Active Discovery and the the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to find any hosts on the network. From there, it can encrypt them and any shared drives.

Sometimes the group isn’t in the business of encrypting, it simply destroys.

“When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data,” CISA’s advisory reads.

To reduce the risk of a BlackMatter attack, organizations should follow ransomware mitigations CISA has recommended previously, including the use of strong passwords, multi-factor authentication, patch management, and network segmentation and traversal monitoring.  One tip that government agencies have emphasized of late is the concept of time-based access and tools that can help supplement access management. If attackers were to use stolen or compromised credentials during off hours, or let's say on the weekend, that access may not be detected. For administrators with higher level admin access, organizations should consider employing a just-in-time access, CISA recommends.

CISA, the FBI, and NSA also encourage organizations to follow its ransomware response checklist, scan their backups, follow incident response best practices, and report any incidents to the appropriate parties.

Defenders looking for more information should refer to the advisory for BlackMatter TTPs - tactics, techniques, and procedures - detection signatures, and mitigations.

Tags:  Ransomware Government

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.