A coalition of federal agencies warned that the BlackMatter ransomware group targeted multiple US critical infrastructure entities including two US food and agriculture sector organizations.
The joint advisory by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) warns that BlackMatter leverages Windows domain tools to discover hosts on the network and remotely encrypts them.
The advisory described BlackMatter as a ransomware-as-a-service (RaaS) tool benefiting from a cybercrime affiliate program involving BlackMatter actors who use its infrastructure to compromise the victims.
According to the advisory, BlackMatter was possibly a rebranding of the DarkSide ransomware gang that shut operations after the Colonial Pipeline ransomware attack.
The advisory further noted that BlackMatter’s ransom demands vary between $80,000 and $15,000,000, payable in Bitcoin and Monero.
BlackMatter ransomware activity first appeared in July 2021, according to the multi-agency joint cybersecurity advisory.
Several critical entities compromised by BlackMatter ransomware
White House issued a general directive short of designating the food and agriculture sector as critical infrastructure. Although the sector has critical dependencies with critical infrastructure entities, making it a priority for cyber actors.
BlackMatter ransomware has already compromised multiple food and agriculture critical infrastructure entities.
One such attack affected the Iowa-based New Cooperative agricultural provider that suffered a BlackMatter ransomware attack on September 20, 2021. The cyber actor demanded a $5.9 million ransom to decrypt devices. Additionally, the threat actor exfiltrated financial documents, employee social security numbers, and networking information.
The timing of the attack suggested that the threat actor timed it to coincide with the harvest season to force the victim to pay the ransom.
Similarly, Minnesota’s Crystal Valley suffered a similar BlackMatter ransomware attack within two days of the New Cooperative attack.
Another victim of the BlackMatter ransomware was the Japanese medical and industrial equipment manufacturer Olympus compromised in the Americas and the European, Middle East, and Africa (EMEA) segment.
However, Director of Cybersecurity at NSA, Rob Joyce noted that the ransomware threat was beyond any victim company.
Similarly, Assistant Director of the FBI’s Cyber Division, Bryan Vorndran said that many ransomware incidents went unreported. He advised ransomware victims to report the incidents because their silence only benefitted the cybercriminals.
BlackMatter ransomware operators’ tools, techniques, and procedures
The coalition of federal agencies enumerated the tools, techniques, and procedures (TTPs) employed by BlackMatter ransomware operators to infiltrate their victims.
They determined BlackMatter’s TTPs from samples analyzed in a sandbox environment and from “trusted third parties.”
According to the advisory, the BlackMatter threat actor used embedded or previously compromised credentials to access the Active Directory (AD) and Microsoft Remote Procedure Call (MSRPC) and discover hosts on the network through the Lightweight Directory Access Protocol (LDAP) and the Server Message Block (SMB) protocol.
The ransomware also discovered contents of network shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
“Active Directory is known as holding ‘the keys to the kingdom,’ which is why BlackMatter is targeting Active Directory in order to leverage the information within it so bad actors can spread their ransomware,” said Derek Melber, Chief Technology & Security Strategist at Tenable.
“By compromising Active Directory, bad actors can encrypt the data and effectively hold organizations, and their systems, hostage.
“BlackMatter enumerates not only computers but also users, service accounts, groups, and more to find other attack paths that lead to privilege escalation. This means that the Local Administrator Password Solution (LAPS) needs to be implemented, password reuse is prohibited, privileged accounts from Active Directory are not allowed to log on to workstations or servers, and resources (shared folders) are secured and removed if not needed.”
The joint advisory also disclosed that BlackMatter ransomware operators encrypted Linux-based machines and ESXi virtual machines using a separate encryption binary. Instead of encrypting backup systems, BlackMatter ransomware operators formatted and or wiped data backup appliances to prevent restoration without ransom payment.
The federal agencies also published various detection signatures to detect malicious activity associated with BlackMatter ransomware operators.
“BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks,” the advisory stated.
Protecting critical infrastructure entities from BlackMatter ransomware attacks
The advisory warned that an attack on critical infrastructure entities could deny consumers critical services. Consequently, they proposed various mitigations to prevent BlackMatter ransomware attacks against critical infrastructure entities.
According to the advisory, implementing detection signatures, using strong passwords, implementing multi-factor authentication, patching and updating systems, and limiting resource access over the network could prevent BlackMatter ransomware attacks from succeeding.
Organizations should also implement network segmentation and traversal monitoring to prevent BlackMatter ransomware propagation across the network.
Additionally, they should leverage admin disabling tools to support identity and privileged access management and implement and enforce backup and restoration policies and procedures.
The agencies also discouraged critical infrastructure operators from paying the ransom when compromised by ransomware operators. This behavior only rewards the criminals and encourages them to target similar organizations.