The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) gave a joint advisory regarding persistent BlackMatter ransomware attacks.
The group continues to run attacks in the U.S.A. since July 2021. It has conducted attacks on critical infrastructure entities including two agencies in the U.S. Food and Agriculture Sector. Data has been received that connects the group to the DarkSide ransomware gang that executed attacks from September 2020 to May 2021. The Colonial Pipeline attack with the BlackMatter ransomware is likely a rebrand of the DarkSide operations.
Inquiry into the attacks has provided agencies with vital data concerning the tactics, techniques, and procedures (TTPs) of the group, and an examination has been conducted on a ransomware sample in a sandbox environment.
The ransomware gang is identified to employ already compromised credentials to acquire access to the systems of victims, then utilizes the Server Message Block (SMB) protocol and the Lightweight Directory Access Protocol (LDAP) to acquire access to the Active Directory (AD) and locate all hosts on the system. The BlackMatter group deploys ransomware and then encrypts the hosts and shared drives remotely when they are located. The gang has been found to exfiltrate files and normally requires ransom payments of around $80,000 – $15 million in Bitcoin or Monero.
In the shared advisory, the NSA, CISA and FBI mentioned TTPs, provide Snort signatures which could be employed for uncovering the network activity linked with BlackMatter ransomware attacks, and various mitigations to cut down the possibility of a breach by the group.
Mitigations comprise of:
- Employing detection signatures to distinguish and prohibit attacks in progress
- Utilizing strong passwords tolerant to brute force attacks
- Using multi-factor authentication to prohibit the usage of compromised credentials
- Patching and making updates to systems quickly
- Confining access to sources in networks
- Employing network segmentation and traversal tracking
- Employing admin disabling tools to support identity and privileged access administration
- Employing and enforcing backup and recovery plans and processes
