Despite promises made by the BlackMatter ransomware gang about which organizations and business types they would avoid, multiple US critical infrastructure entities have been targeted. Now, the Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) have issued a warning on BlackMatter ransomware, and tips on how to avoid it.
BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, and has some similarities to REvil. According to its own site:
"The project has incorporated in itself the best features of DarkSide, REvil and LockBit"
On their own leak site, the BlackMatter gang claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:
- Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
- Oil and gas industry (pipelines, oil refineries)
- Defense industry
- Non-profit companies
- Government sector
A recent high-profile victim of BlackMatter was Japan-headquartered manufacturer Olympus which, among others, produces medical equipment. BlackMatter is also named as the likely culprit behind the cybersecurity incident affecting US farmers’ cooperative NEW Cooperative.
All in all, the BlackMatter group have performed attacks against several US-based organizations and demanded ransoms ranging from 80 thousand to 15 million US dollars in Bitcoin and Monero.
How to avoid BlackMatter ransomware
CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.
Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.
- Use strong and unique passwords. Passwords shouldn't be reused across multiple accounts or stored on a system where an adversary may gain access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
- Implement and require Multi-Factor Authentication (MFA) where possible and especially for webmail, virtual private networks, and accounts that access critical systems.
- Patch and update. Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
- Limit access to resources over the network. Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
- Implement network segmentation and traversal monitoring. This will hinder an adversary from learning the organization’s enterprise environment. Many attackers use system and network discovery techniques for network and system mapping.
- Implement time-based access for accounts set at the admin-level and higher. BlackMatter operatives have been noticed to use compromised credentials during non-business hours, which allows them to go undetected for longer periods.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line.
- Implement and enforce backup and restoration policies and procedures. Doing backups right is not as easy as some may think. Make sure they are recent, cannot be altered or deleted, and cover the entire organization’s data infrastructure.
Furthermore, CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:
- Disable the storage of clear text passwords in LSASS memory.
- Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
- Implement Credential Guard for Windows 10 and Server 2016.
- Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Ticket Granting services can be used to obtain hashed credentials that attackers attempt to crack or use in pass-the-hash methods.
Bad things happen
If, despite your best efforts, a ransomware incident occurs at your organization, CISA, the FBI, and NSA say US-based organizations should:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan backups. If possible, scan backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the US Secret Service at a US Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
Stay safe, everyone!