FBI, NSA, CISA warns critical infrastructure entities of attacks using BlackMatter ransomware

U.S. security agencies released on Monday a joint cybersecurity advisory notifying organizations of cyber attackers using the BlackMatter ransomware that could potentially target multiple critical infrastructure entities. Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services.

The joint advisory provided details on the tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment, as well as from trusted third-party reporting. It also outlined mitigations to help improve ransomware protection, detection, and response. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. food and agriculture sector organizations, the advisory pointed out.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) used an analyzed sample of BlackMatter ransomware and information from trusted third parties. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

“This advisory highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks,” Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a media statement. “CISA, FBI and NSA are taking every step possible to try to make it harder for cyber criminals to operate. Americans can help us in this long-term endeavor by visiting Stopransomware.gov to learn how to reduce their risk of becoming a victim of ransomware.”

“The FBI, along with CISA and NSA, is dedicated to preventing, disrupting, and combating the evolving ransomware threat,” said Bryan Vorndran, assistant director of the FBI’s cyber division. “Unfortunately, too many ransomware incidents go unreported, and because silence benefits the cybercriminals the most, we ask targeted entities to contact their local FBI Field Office and speak to a cyber agent. By reporting a cyber incident, targeted entities are enhancing our ability to respond and investigate with the goal of disrupting cybercriminal operations.”

“The threat of ransomware goes beyond specific impacts to a victim company – it has risen to a national security issue,” said Rob Joyce, director of cybersecurity at NSA. “NSA’s technical skills and threat intelligence will continue to support our partners across government and industry to degrade adversary footholds into networks where they launch ransomware. Employing the mitigations in the joint advisory with CISA and FBI will protect networks and mitigate the risk against BlackMatter and other ransomware attacks.”

BlackMatter is a Ransomware-as-a-Service (RaaS) tool that allows the ransomware’s developers to profit from cybercriminal affiliates such as the BlackMatter hackers, who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter hackers have attacked numerous U.S.-based organizations and demanded ransom payments ranging from US$80,000 to $15,000,000 in Bitcoin and Monero.

The FBI detected in May that the DarkSide ransomware was responsible for the compromise of the Colonial Pipeline networks, which led the company to take certain systems offline to contain the threat. Colonial had a temporary halt of all pipeline operations with some of its IT systems also affected, and currently in the process of restoring.

The BlackMatter variant uses embedded admin or user credentials that were previously compromised and other commands to enumerate running processes and services, respectively, the joint advisory said. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.

“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON,” the joint advisory said.

BlackMatter hackers use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter attackers wipe or reformat backup data stores and appliances.

Commenting on the latest security advisory, James McQuiggan, security awareness advocate at KnowBe4, wrote in an emailed statement, that “whether new cybercriminal groups surface or previous groups are restructuring or rebranding, they collaborate to target any organization that succumbs to a social engineering/phishing attack or exploits a vulnerability in an external-facing system like a web server email system or VPN server.”

Organizations can protect against social engineering by ensuring a robust security awareness and training platform to install a strong security culture and provide users who are aware of the latest threats and have a communication path to the necessary teams within the organization, according to McQuiggan. Providing these capabilities to users allows the organization to stop any threats and significantly reduce the risk of a cybercriminal attack through email.

“Organizations need to continue to ensure they have a well-documented and repeatable change control program to prioritize and implement all new software and hardware updates. These actions can eliminate the ability of cybercriminals to use known exploits on external and internet-connected systems,” he added.

The joint advisory comes less than a week after U.S. security agencies notified ongoing cyber threats to the U.S. Water and Wastewater Systems (WWS) sector. The activity identified includes cyber intrusions leading to ransomware attacks, which threatens the ability of WWS facilities to provide clean and potable water, and effectively manage the wastewater of their communities. These threats come from both known and unknown hackers targeting the information technology (IT) and operational technology (OT) networks, systems, and devices of U.S. WWS sector facilities.

Critical infrastructure organizations with industrial control systems/operational technology networks should carefully review the cybersecurity advisory, and adopt mitigations to reduce the risk of adverse business or functional degradation should their entity fall victim to a ransomware attack, the guidance said.

To reduce the risk of compromise by BlackMatter ransomware, CISA, the FBI, and the NSA urge network defenders, especially critical infrastructure organizations, to implement the intrusion detection signatures and multi-factor authentication, use strong passwords, and immediately patch and update systems. It also recommended implementing network segmentation and traversal monitoring, limiting access to resources over the network, supporting identity and privileged access management by using admin-disabling tools and implementing and enforcing backup restoration policies and procedures.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.