Original release date: October 18, 2021
Actions You Can Take Now to Protect Against BlackMatter Ransomware
• Implement and enforce backup and restoration policies and procedures.
• Use strong, unique passwords.
• Use multi-factor authentication.
• Implement network segmentation and traversal monitoring.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.
This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.
Click here for a PDF version of this report.
First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware's developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256:
The BlackMatter variant uses embedded admin or user credentials that were previously compromised and
BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
Table 1 maps BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting.
Table 1: Black Matter Actors and Ransomware TTPs
Summary
Actions You Can Take Now to Protect Against BlackMatter Ransomware
• Implement and enforce backup and restoration policies and procedures.
• Use strong, unique passwords.
• Use multi-factor authentication.
• Implement network segmentation and traversal monitoring.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.
This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.
Click here for a PDF version of this report.
Technical Details
Overview
First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware's developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
Tactics, Techniques, and Procedures
This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256:
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
. (Note: click here to see the sample’s page on VirusTotal.)The BlackMatter variant uses embedded admin or user credentials that were previously compromised and
NtQuerySystemInformation
and EnumServicesStatusExW
to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll
Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$
, C$
, SYSVOL
, and NETLOGON
.BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
Table 1 maps BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting.
Table 1: Black Matter Actors and Ransomware TTPs
Tactic | Technique | Procedure |
---|---|---|
BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks. | ||
BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon. | ||
BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD. | ||
BlackMatter uses NtQuerySystemInformation to enumerate running processes. |