BlackMatter ransomware has been around since July 2021 and has been used to target organizations that provide important services to American citizens, including two organizations in the U.S. Food and Agriculture Sector.
BlackMatter is actually a ransomware-as-a-service (RaaS) platform, and some have claimed it to be a rebrand of DarkSide RaaS. As with most RaaS models, BlackMatter can be leased to novice threat actors in exchange for a share of any profits made. Some of the ransomware attacks carried out using BlackMatter RaaS have demanded payments of up to $15,000,000 in Bitcoin or Monero.
How does BlackMatter Ransomware work?
BlackMatter targets Microsoft Active Directory (AD), and tries to gain access to AD by compromising credentials via the Lightweight Directory Active Protocol (LDAP) and the Server Message Block (SMB) protocol. It will also use a number of built-in Windows functions to identify resources that it can exploit to move laterally to other systems.
For example, BlackMatter will try to terminate security solutions, and other Windows processes and services. Once an account has been compromised, the attackers are able to scope out the network for hosts and open shares, and then initiate the encryption process. BlackMatter will also try to locate backups, and then either destroy or reformat them. As with DarkSide ransomware, BlackMatter can also infect Linux-based machines.
Examples of BlackMatter Ransomware Attacks
The BlackMatter website states that they do not attack critical infrastructure, however, the group was behind an attack on a farmers cooperative, called NEW Cooperative Inc. While a farmers cooperative may not seem like “critical infrastructure”, it’s worth noting that approximately 40% of grain production runs on NEW Cooperative software.
Not only that but president Joe Biden included the food and agriculture sector in a list of 16 critical infrastructure sectors that are “off-limits” from cyberattacks. The BlackMatter group claim to have stolen 1,000 GB of data, including financial, R&D, and legal information, as well source code, and sensitive employee information, from NEW Cooperative Inc.
How to Protect Against BlackMatter Ransomware Attacks
Protection against BlackMatter ransomware attacks involve many of the same techniques, tools, and technologies, as other forms of ransomware, particularly DarkSide. In addition to carrying out regular security awareness training to help employees identify signs of a ransomware attack.
it is recommended that you implement the following mitigation methods:
Use strong and unique passwords: You must ensure that admin accounts, domain admin accounts, and service accounts have strong passwords, and these passwords should not be reused. Use multi-factor authentication whenever possible, and consider disabling the storage of clear text passwords in LSASS memory.
Enforce “least privilege” access: Ensure that users are granted the least privileges they need to perform their role and implement Just-in-Time (JIT) access to allow permissions to be granted on a time-limited basis.
Keep all software up to date: Ensure that all software is patched in an organized and timely manner, especially your operating system.
Segment your network: Use network segmentation in order to help prevent the spread of ransomware.
Protect your backups: In addition to encrypting backups, ensure that they are stored in a secure location.
Turn off Remote Desktop Protocol (RDP): It is generally a good idea to disable RDP if you are not using it. If you are using it, make sure that it is running on a non-standard port.
Audit Domain Controllers: Closely monitor your Domain Controllers for anomalous Kerberos Ticket-Granting Service requests.
Use an Intrusion Prevent System (IPS): Use an IPS or DLP (Data Loss Prevention) solution to identify suspicious inbound and outbound network traffic, such as when a large number of files are copied to an unknown location outside of your network.
Monitor access to privileged accounts: Use a Active Directroy or Azure AD auditing software to identify anomalous logon attempts associated with your privileged accounts, including your admin accounts, domain admin accounts, and service accounts.
Use threshold alerting: Adopt a solution that will detect and respond to events that match a pre-defined threshold condition, such as when multiple files have been encrypted or copied within a given time frame. If the threshold condition is met, a custom script can be executed, which might disable a user account, stop a specific process, change the firewall settings, or shut down the affected server.