The FBI, in conjunction with CISA, and NSA have issued a warning on BlackMatter ransomware. Despite being promised of not to target certain organizations, but it’s kept in bay.
BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims.
“The project has incorporated in itself the best features of DarkSide, REvil and LockBit”
On their leak site, the BlackMatter gang claim not to attack companies belonging to the following six industries, with the caveat that if or when any companies in these industries do get hit, such victims should simply ask for a free decryption:
- Critical infrastructure facilities
- Oil and gas industry
- Defense industry
- Non-profit companies
- Government sector
A recent high-profile victim of BlackMatter was Japan headquartered manufacturer Olympus which, among others, produces medical equipment. BlackMatter is also named as the likely culprit behind the cybersecurity incident affecting US farmers’ cooperative NEW Cooperative. The BlackMatter group have performed attacks against several US-based organizations and demanded ransoms ranging from 80 thousand to 15 million US dollars in Bitcoin and Monero.
CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.
Also Read : Olympus Hit with BlackMatter
Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.
- Use strong and unique passwords.
- Implement MFA
- Patch regularly
- Limit access to resources over the network.
- Implement network segmentation and traversal monitoring.
- Implement time-based access for accounts set at the admin-level and higher.
- Disable command-line and scripting activities and permissions.
- Implement and enforce backup and restoration policies and procedures.
Furthermore, CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:
- Disable the storage of clear text passwords in LSASS memory.
- Consider disabling or limiting NTLM and WDigest Authentication.
- Implement Credential Guard for Windows 10 and Server 2016.
- Minimize the AD attack surface to reduce malicious ticket-granting activity.
Stay safe, Stay Vigilant, Stay Protected !