In response to recent ransomware attacks, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA) have released a joint Cybersecurity Advisory (CSA): BlackMatter Ransomware. The CSA was developed to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. food and agriculture sector organizations.
First seen in July 2021, BlackMatter is ransomware-as-a-service (RaaS) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible “rebrand” of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
Conversing with criminals
According to a Twitter feed, the BlackMatter group “just ransomed another food-critical infrastructure in the US. The ransom demand is 5,900,000$ for now.”
The same Twitter page quotes the agricultural group in writing to the attackers, “Your website says you do not attack critical infrastructure—we intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork and chicken supply chain. This will break the supply chain very shortly, and we will have to report this to our regulators and likely the public if this disruption continues. I assume you have thought that through? CISA is going to be demanding answers from us within the next 12 hours or so and we are going to have to tell them exactly what has happened and why the food chain is disrupted.”
The hackers’ “Support” team responded: “You do not fall under the rules, everyone will only incur losses, everything is tied to the commerce, the critical ones mean the vital needs of a person, and you earn money.
“Since everything is so serious with you, let’s come to an agreement quickly and solve everything quickly.”
The agricultural group responded, “It’s not that simple. And it does not sound like you actually have rules. Maybe you just say these things to sound like you care…”
According to a September 21 article on Security Affairs (www.securityaffairs.co), the farmers cooperative, NEW Cooperative (feed and grain), was hit by the BlackMatter ransomware, demanding a $5.9 million ransom. The criminals claim to have stolen 1,000 GB of data including the source code for the soilmap.com project, financial info, network information, R&D results, sensitive employee information, legal and executive info and more.
Derivation of BlackMatter
According to a McAfee.com report written by Alexandre Mundo and Marc Elias on Sep 22, 2021, BlackMatter got started with a strong group of attacks and some advertising from its developers, which claim they take the best pats of other malware such as GrandCrab, LockBit and DarkSide even though they say they are a new group of developers. McAfee, on the other hand, says that after analysis, the BlackMatter ransomware has a great deal in common with DarkSide, the malware associated with the attack on the Colonial Pipeline.
The ransomware is typically seen as a Windows .EXE program, and in some special cases as a Windows dynamic link library (DLL). McAfee says that Linux machines can also be affected with special versions compiled for Linux operating systems.
CISA overview and warnings
The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.
BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
CISA warns users how to mitigate BlackMatter attacks
CISA, FBI and NSA urge operators and network defenders, especially for critical infrastructure organizations, to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
Implement detection signatures—Implement the detection signatures identified above. These signatures will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours.
Use strong passwords—Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.
Implement multi-factor authentication—Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Patch and update systems—Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Limit access to resources over the network—Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to allow only connections to administrative shares via SMB from a limited set of administrator machines.
Implement network segmentation and traversal monitoring—Adversaries use system and network discovery techniques for network and system visibility and mapping. Segment networks to prevent the spread of ransomware. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Use admin disabling tools to support identity and privileged access management—If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected. Given that there has been an observed increase in ransomware attacks during non-business hours, especially holidays and weekends, CISA, the FBI, and NSA recommend organizations:
- Implement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Implement and enforce backup and restoration policies and procedures—Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom demand. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.
CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:
- Disable the storage of clear text passwords in LSASS memory.
- Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
- Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
- Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack. Set a strong password policy for service accounts. Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.
Resources:
Alert (AA21-291A), “BlackMatter Ransomware,” Original release date: October 18, 2021, CISA, https://us-cert.cisa.gov/ncas/alerts/aa21-291a
“An interview with BlackMatter: A new ransomware group that’s learning from the mistakes of DarkSide and REvil;” The Record, Aug. 2, 2021 (https://tinyurl.com/6uuu4jnk)
“BlackMatter Ransomware Analysis; The Dark Side Returns,” Alexandre Mundo and Marc Elias on Sep 22, 2021; McAfee.com (https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/blackmatter-ransomware-analysis-the-dark-side-returns/)
BlackMatter hits food critical infrastructure company for $5.9 million, Twitter, Accessed October 18, 2021 (https://twitter.com/ido_cohen2/status/1439863554606305286/photo/1)
