Higher Risk of BlackMatter Ransomware Attack on the Health and Public Health Sector

The Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services reported that there is an increased risk of ransomware attacks on the health and public health industry as perpetrated by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation.

The BlackMatter threat gang surfaced in July 2021 after the DarkSide ransomware group stopped its attacks while the Sodinokibli/REvil had taken offline its facilities. The Russian threat group is thought to come from Eastern Europe and has executed a lot of attacks in the last few months in Chile, Brazil, India, the United States, and Thailand. The group additionally began leaking stolen information on its data leak website on August 11, 2021.

The threat gang has mainly executed ransomware attacks on organizations in the food and beverage, real estate, architecture, IT, education, and financial services industries, and although the ransomware gang has publicly expressed it wouldn’t attack hospitals, critical infrastructure organizations, government, nonprofits, and defense providers, there is fear that attacks may continue to take place.

The threat group stated in its sales presentation for affiliates that its ransomware includes the best capabilities of the DarkSide, Sodinokibi/REvil and Lockbit 2.0 ransomware variants. A technical review of the ransomware showed a number of commonalities between Sodinokibi/REvil and DarkSide ransomware variants indicating that the group has connections with those campaigns.

BlackMatter stated its affiliates aren’t allowed to strike hospitals, and in case any hospital or nonprofit organization is attacked, they could communicate and ask for free decryption. The threat gang additionally mentioned they will not let their project be employed to encrypt critical infrastructure that will bring unnecessary attention to them. There is obviously no assurance that an attack won’t happen nor that a free decryptor will be made available. As HC3 said, this information is the remarks of BlackMatter, and might not be correct. Moreover, the Sodinokibi/REvil and DarkSide ransomware variants were both utilized in attacks on the health and public health industry.

The threat group is actively looking for initial access brokers (IABs) that could give access to company networks, and also affiliates to perform attacks. IABs frequently offer compromised VPN login credentials, RDP credentials, and web shells, which allow ransomware gangs to have access to perform attacks.

As per HC3, there were about 65 cases of threat actors vending network access to healthcare organizations on hacking sites last year. An evaluation of 1,000 forum posts that sell network access last year revealed that the United States was the worst affected, and 4% of breached organizations belong to the healthcare sector.

BlackMatter is employed in attacks on Linux and Windows systems, encrypts files utilizing Salsa20 and 1024-bit RSA, and tries to install and encrypt unmounted partitions. The BlackMatter ransomware encrypts files on removable media, stored locally, and on network shares, and removes shadow copies to prevent restoration if ransom is not paid. Files are additionally exfiltrated before encryption and stolen information was posted on the gang’s leak website to encourage ransom payment.

Even though free decryptors are given, the cost of resolving an attack is most likely to be substantial. It is consequently essential for the health and public health industry to do something to strengthen defenses to block BlackMatter and other ransomware attacks.

In the threat report, HC3 gives the following cybersecurity recommendations that ought to be followed to minimize the BlackMatter threat:

  • Maintain offline encrypted backups
  • Routinely test backups to make sure file restoration is possible
  • Create, maintain, and exercise a fundamental cyber incident response plan and communications strategy
  • Offset Internet-facing vulnerabilities and wrong configurations
  • Patch quickly
  • Do routine security awareness training for the employees
  • Enforce defenses like spam filters to fight social engineering attacks and email phishing