Ransomware-as-a-Service (RaaS) is wreaking havoc on critical infrastructure around the world, causing businesses large and small to take major financial hits up to $15 million.
Three U.S. federal agencies have banded together to issue a joint cybersecurity advisory statement about BlackMatter, a RaaS tool cybercriminals have been using to profit. BlackMatter has been operating since July, according to the advisory.
Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) provided information about the techniques BlackMatter is using to hold organization networks for ransom.
"Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks," the statement reads.
SecureWorld News digs into BlackMatter's process and breaks down the risk mitigation tips in this article.
How do BlackMatter hackers infiltrate systems?
The federal agencies provide a description of how the bad actors are carrying out ransomware attacks. Analysis of BlackMatter’s tactics, techniques, and procedures (TTPs) was gathered from third-party reporting in a "sandbox environment," which allowed BlackMatter's process to be surveyed in a safe, monitored environment.
“Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found,” reads the statement.
Instead of encrypting backup data, BlackMatter instead wipes it clean in some cases.
"BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXI virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat
backup data stores and appliances.
In a table provided by the advisory, BlackMatter's practices are further outlined in accordance with the MITRE ATT&CK for Enterprise framework.
-png.png?width=525&name=Screenshot%20(20)-png.png)
-png.png?width=537&name=Screenshot%20(21)-png.png)
BlackMatter is believed to be a rebranding of DarkSide, a group of malicious hackers that were actively disrupting organizations from September 2020 through May 2021. DarkSide made claims it was shutting down earlier this year.
This group also successfully carried out agricultural supply chain cyberattacks on New Cooperative and Crystal Valley Cooperative back in September.
Techniques to mitigate the threats of ransomware
In the advisory, there were several methods outlined the U.S. agencies urged businesses to implement if they have not already.
CISA Director Jen Easterly took to Twitter and posted four methods to deter bad actors.
The techniques outlined by Easterly that can be done today to protect against ransomware, according to guidelines by the advisory. Here is a summary of those processes from the advisory.
- Backup your data and put procedures in place for restoration. Be sure the data is encrypted.
- Choose unique, strong passwords. Go a step further by regularly updating your passwords and enabling multi-factor authentication (MFA).
- Update your systems regularly and check for patch updates, too.
- Work on network segmentation and traversal monitoring procedures at your organization. Segmenting the networks protects against the spread of ransomware, while traversal monitoring can assist with detection.
If you believe your organization has been hit by ransomware, report the incident to CISA, FBI, or U.S. Secret Service immediately using the following websites.
- CISA: us-cert.cisa.gov/report
- FBI: fbi.gov/contact-us/field-offices
- U. S. Secret Service: secretservice.gov/contact/field-offices
Learn more about the technical details at us-cert.cisa.gov or by downloading the PDF version of the advisory statement here.
[RESOURCE] Join Roger Grimes, KnowBe4's Data-Driven Defense Evangelist, for the upcoming remote session 5 Things You Should Know About Ransomware Before It's Too Late.
