In tandem with cyberattacks, the emergence of various cybercriminal groups has become rampant in recent times. Several governments across the globe are initiating advanced security measures to cope with evolving threat actor groups. Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI jointly released a cybersecurity advisory about the infamous BlackMatter ransomware group, with information on its tactics, techniques, and procedures (TTPs).
BlackMatter Ransomware
Active since July 2021, BlackMatter is a ransomware-as-a-service (Raas) that enables threat actors and cybercriminal affiliates to deploy ransomware on targeted victim’s devices. BlackMatter operators have targeted several critical infrastructures in the U.S. and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero. The group also leveraged embedded and previously compromised credentials to illicitly access the Active Directory (AD) to discover all hosts on the targeted network.
The operators recently compromised and infected NEW’s network systems and demanded a ransom of $5.9 million to restore the affected systems. The attack affected the operations of several grain storage elevators and farming activities, causing severe disruption to the food supply chain.
How to Detect BlackMatter Ransomware
The advisory unveiled two Snort signatures that help detect network activities linked with BlackMatter.
- Intrusion Detection System Rule:
alert tcp any any -> any 445 (msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111;)
- Inline Intrusion Prevention System Rule:
alert tcp any any -> any 445 (msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; priority:1; sid:10000001;) rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400
Responding to Ransomware Attacks
In case of a ransomware incident, the federal agencies recommended organizations to:
- Follow the Ransomware Response Checklist in the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan backups with an antivirus program to check that it is free of malware.
- Report incidents immediately to the FBI at a local FBI Field Office, CISA at uscert.cisa.gov/report, or the U.S. Secret Service at a U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the U.K.
Mitigating BlackMatter
The agencies urged security admins and organizations, especially in the critical infrastructure sector, to apply the following mitigation measures and reduce the risk of compromise by BlackMatter ransomware:
- Implement the detection signatures identified
- Enable multi-factor authentication to all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
- Keep all operating systems and software up to date
- Remove unnecessary access to administrative shares
- Implement Network Segmentation and Traversal Monitoring
- Enforce Backup and Restoration Policies and Procedures
“Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks,” the advisory stated.
