BlackMatter, a possible re-brand of DarkSide, which was active from September 2020 through May 2021 is back at it again. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture sector organizations, according to a joint advisory from the CISA, FBI and NSA.
Black Matter actors have attacked numerous U.S.-based organizations that have demanded ransom payments ranging from $80,000 to $15 million in Bitcoin and Monero.
BlackMatters is behind a ransomware-as-a-service tool that allows developers to profit from cyber criminal affiliates who deploy it against victims.
BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block Protocol (SMB) to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the host in shared drivers as they are found.
The Technical Details
According to the advisory:
“The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively.
BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.
BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.”
How to protect your organization from BlackMatter ransomware:
Implement Detection Signatures
The signatures will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours.
Use Strong Passwords
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
Implement Multi-Factor Authentication
Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Patch and Update Systems
Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Limit Access to Resources over the Network
Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines.
More mitigation efforts can be found on the CISA, FBI and NSA alert here.