How to Stay Safe from BlackMatter Ransomware Attacks
FBI, NSA, and CISA Published an Advisory About the BlackMatter Ransomware Gang Modus Operandi.
Last updated on June 7, 2022
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) all provide data that can assist companies in defending against and detecting this adversary’s network activities.
The BlackMatter ransomware-as-a-service campaign started with the explicit objective of penetrating corporate networks belonging to organizations with a turnover of at least $100 million in the United States, Canada, Australia, and the United Kingdom.
BlackMatter is responsible for encrypting systems at a number of companies in the United States and demanding ransoms of up to $15 million in Bitcoin.
The combined cybersecurity advice from CISA, the FBI, and the NSA details the strategies, techniques, and processes used by the BlackMatter ransomware group, which might help businesses defend themselves.
The threat actor utilized compromised administrator credentials to find all the hosts in the victim’s Active Directory, according to one variation of the malware examined in an isolated environment.
This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256: 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.
The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.
BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
The advisory warns about the fact that, unlike other ransomware actors, BlackMatter wipes or reformats any backup data stores.
How to Stay Safe from BlackMatter
The three agencies generated signatures for the open-source Snort network intrusion detection and prevention system that can warn when a remote encryption process begins based on recognized TTPs linked with BlackMatter ransomware.
As thoroughly explained by BleepingComputer, CISA, the FBI, and the NSA have developed a set of cybersecurity tactics to combat BlackMatter ransomware assaults, which range from simple password hygiene to mitigations aimed to reduce the Active Directory attack surface.
Aside from the Snort signatures mentioned above, the agencies advise adopting strong, unique passwords for other accounts such as admin, service, and domain administrators.
All services that allow multi-factor authentication should be turned on, and installing security patches on time remains “one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.”
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.