Government Agencies Warn About BlackMatter Ransomware | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Government Agencies Warn About BlackMatter Ransomware

by Chris Brook on Thursday October 21, 2021

Contact Us
Free Demo

CISA, the FBI, and NSA provided defenders with tips to protect networks and mitigations to prevent the spread of the ransomware.

Another week, another government ransomware warning.

This week, federal agencies are sounding the alarm over attacks carried out recently by the BlackMatter ransomware group.

While the group isn't new - it first emerged on the scene in July, ramping up its ransom demands as high as $3 to $4 million - the advisory about the ransomware, issued by the FBI, NSA, and CISA, on Monday, is.

A ransomware-as-a-service (Raas) tool, BlackMatter allows developers to sell or lease their variants, something which lets them profit from any affiliates. Experts have hinted since some of the first BlackMatter attacks, back in July, that the group bore some resemblance to DarkSide, a group that was active from September 2020 to May this year and connected to this spring's attack against Colonial Pipeline.

The group made headlines earlier this year when it promised not to hit the following sectors:

  • Hospitals
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
  • Oil and gas industry (pipelines, oil refineries)
  • Defense industry
  • Non-profit companies
  • Government sector

While it's only been a few months, BlackMatter has been responsible for a handful of attacks, including one against Japanese tech company Olympus, and an attack last month involving the farming cooperative NEW Cooperative in which it asked for $5.9 million dollars, a sum the group threatened to increase to $11.8 if not paid after five days. That one came a week after another attack against Crystal Valley, another farming co-op based in Minnesota.

According to CISA, the group primarily uses previously compromised credentials and from there, both the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access Active Discovery and the the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to find any hosts on the network. From there, it can encrypt them and any shared drives.

Sometimes the group isn’t in the business of encrypting, it simply destroys.

“When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data,” CISA’s advisory reads.

To reduce the risk of a BlackMatter attack, organizations should follow ransomware mitigations CISA has recommended previously, including the use of strong passwords, multi-factor authentication, patch management, and network segmentation and traversal monitoring.  One tip that government agencies have emphasized of late is the concept of time-based access and tools that can help supplement access management. If attackers were to use stolen or compromised credentials during off hours, or let's say on the weekend, that access may not be detected. For administrators with higher level admin access, organizations should consider employing a just-in-time access, CISA recommends.

CISA, the FBI, and NSA also encourage organizations to follow its ransomware response checklist, scan their backups, follow incident response best practices, and report any incidents to the appropriate parties.

Defenders looking for more information should refer to the advisory for BlackMatter TTPs - tactics, techniques, and procedures - detection signatures, and mitigations.

Tags: Ransomware, Government

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.