The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.
This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.
The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.
The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.
The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.
BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform.
BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
The sample analyzed by the researchers allowed them to discover that the ransomware operators used compromised administrator credentials to discover all the hosts in the victim’s Active Directory. In order to list all accessible network shares for each host the malicious code used Microsoft Remote Procedure Call (MSRPC) function (srvsvc.NetShareEnumAll) that allowed listing all accessible network shares for each host.
“The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.” reads the joint alert. “Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.”
BlackMatter operators use a separate encryption binary for Linux-based machines that can encrypt ESXi virtual machines. The experts noticed that BlackMatter operators wipe or reformat backup data stores and appliances instead of encrypting backup systems.
The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.
CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
The US agencies also urge critical infrastructure organizations to apply the following additional mitigations:
The alert also provides the following recommendations for responding to ransomware attacks:
(SecurityAffairs – hacking, BlackMatter ransomware)