Notification Issued Regarding Ongoing BlackMatter Ransomware Attacks

The Federal Bureau of Investigation (FBI), National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert about continuing BlackMatter ransomware attacks.

The group has been executing attacks in the U.S. starting July 2021. It has launched attacks on critical infrastructure entities and two establishments in the U.S. Food and Agriculture Sector. Proof has been acquired that associates the gang to the DarkSide ransomware group that carried out attacks between September 2020 and May 2021. The attack on Colonial Pipeline with the BlackMatter ransomware is possibly a rebrand of the DarkSide campaigns.

Investigations into the attacks have given agencies crucial information regarding the tactics, techniques, and procedures (TTPs) of the group, and an evaluation has been done on a sample of the ransomware in a sandbox environment.

The ransomware gang is well-known to utilize previously compromised credentials to obtain access to the networks of victims, then leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) to gain access to the Active Directory (AD) and find all hosts on the network. The BlackMatter gang deploys ransomware then encrypts the hosts and shared drives remotely as they are found. The group has been known to exfiltrate information and usually demands ransom payments of about $80,000 to $15 million in Monero or Bitcoin.

In the joint notification, the NSA, FBI, and CISA discussed TTPs, provide Snort signatures that may be utilized for discovering the network activity connected with BlackMatter ransomware attacks, and a number of mitigations to minimize the threat of an attack by the gang.

Mitigations consist of:

  1. Employing detection signatures to recognize and obstruct attacks in progress
  2. Utilizing strong passwords resilient to brute force attacks
  3. Using multi-factor authentication to prevent the employment of stolen credentials
  4. Patching and updating systems immediately
  5. Restricting access to resources over networks
  6. Using network segmentation and traversal monitoring
  7. Employing admin disabling tools to support identity and privileged access control
  8. Applying and enforcing backup and restoration guidelines and procedures