According to the CISA, FBI and NSA the cybercriminal group known as BlackMatter are picking up where its predecessor, DarkSide, has left off. Federal authorities are monitoring the resurgence of the ransomware group, whom they believe are accountable for the Colonial Pipeline attack that took place in May of this year. The agencies have also provided insight into their tactics, as well as practices for defending your organization, encouraging businesses to implement security defenses in preparation of new attacks.
BlackMatter Picked up Where DarkSide Left Off
DarkSide was replaced by BlackMatter after shutting down this past May after already making several attacks against critical infrastructure organizations, 2 of which were U.S. Food and Agriculture Sector cooperatives. As recently as this past September, the group targeted NEW Cooperative, quickly followed by a Minnesota-based arm supply and grain marketing cooperative Crystal Valley cooperative and a ransomware attack on Olympus. The advisory revealing the resurgence of BlackMatter stated, “ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services”, and “BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.”
Known Tactics
Also in the advisory was a synopsis of the agency's findings of the criminal group’s tactics. A sample of ransomware from BlackMatter was analyzed in a sandbox environment by researchers to develop insight into how the group invade their targets infrustructure. The BlackMatter variant was found to use compromised embedded admin or user credentials and NtQuerySystemInformation and EnumServicesStatusExW to catalog active processes and services. Other findings included embedded credentials and SMB protocol were used to encrypt the stolen content from each of the shares remotely, including ADMIN$, C$, SYSVOL, and NETLOGON. Lastly the threat actors use a separate encryption binary for Linux-based machines and ESXi virtual machines that were regularly encrypted.
Tips and Ways to Alleviate Damage
Experts have suggested tips to minimize the damage from cyber attacks:
○ The advisory stated, “using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.”
○ The agencies recommend employees use strong passwords and implement MFA to keep confidential information from being compromised.
○ Use detection signatures provided to identify BlackMatter activity on a network to block placement of the group’s ransom note on the first encrypted share.
○ This will subsequently keep additional SMB traffic from the encryptor system for 24 hours.
○ The advisory suggests organizations limit access to resources over the network as well as implement network sectioning and monitoring to prevent the group from accessing and encrypting more resources.
○ Use a host-based firewall and remove access to administrative shares deemed unnecessary.
○ Limit common system and network discovery techniques to restrict an attacker from learning the organization’s infrastructure.
The advisory states, “rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.” They also provided detection signatures of BlackMatter for businesses to use to see if the group has been active on their networks. While their activity continues to be monitored, businesses would do well to prepare for the worst using the tools provided.
