The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert this week warning organizations to be on the lookout for the BlackMatter ransomware-as-a-service (RaaS) tool.
"RaaS is definitely indicative of how ransomware has changed over the year. We've seen ransomware mature as a criminal tool. It's gone from an opportunistic net sweeping up individual victims to a regular tool in carefully targeted exploitation attacking larger organizations," said Karl Sigler , senior security research manager at Trustwave.
BlackMatter ransomware was first spotted in July and is most likely a rebrand of the DarkSide ransomware-as-a-service variant. It has been used in numerous attacks on U.S.-based organizations, generally demanding ransom payments ranging from $80,000 to $15 million in Bitcoin and Monero.
"Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found," the federal alert said.
Sigler added: "While there is a lot of additional work in properly targeting any organization, the payouts are big enough to make it worthwhile. RaaS reminds me of the rise of exploit kits-as-a-service that we saw back about five years ago. It just further shows that there is so much money to be made through ransomware that it can support a full business model."
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center issued a similar alert on BlackMatter in early September.
A successful attack will see BlackMatter remotely encrypt a victim's shared drives via SMB protocol and drop a ransomware note in each directory. Additionally, the alert said that the malware attempts to exfiltrate data as part of its extortion strategy, and the malware has a disk wipe capability that wipe backup systems.
Tactics, Techniques, and Procedures
BlackMatter gains initial entry using previously compromised admin or user credentials and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively, the alert said. The credentials are harvested from Local Security Authority Subsystem Service (LSASS) memory using Microsoft’s Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, registry, and process/thread activity.
"BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares' contents, including ADMIN$, C$, SYSVOL, and NETLOGON," the CISA/FBIalert said.
Additionally, the CISA and FBI alert noted, BlackMatter maintains persistence by leveraging legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
BlackMatter's RaaS operation uses the continuously evolving extortion model to force victims to pay the ransom demand. In several of the gang's most recent attacks, it has used what is called "quadruple extortion."
This method sees the gang not only crypto-locking files and stealing data but then threatening to release the information publicly or sell the stolen data to a competitor. The attacker also threatens the victims with having their data exposed publicly if they contact law enforcement, data recovery experts, or negotiators.
The BlackMatter gang has launched several recent high-profile attacks, including attacks against the farming co-op NEW Cooperative Inc. where BlackMatter demanded a $5.9 million ransom and an attack against Marketron Broadcast Solutions' marketing firm in September. Additionally, in October, BlackMatter also hit the camera maker Olympus.
Analysts believe BlackMatter is a rebranded version of the DarkSide ransomware gang, which targeted Colonial Pipeline Co. in May and disrupted fuel deliveries along the U.S. East Coast. DarkSide itself went dark for a few months, possibly in response to the extensive law enforcement attention drawn in by the Colonial Pipeline attack.
Defending Against BlackMatter
Sigler noted that an organization can successfully defend itself against BlackMatter.
"So far as defense advice, correct, existing proactive advice would help limit the damage incurred by a ransomware infection," Sigler said.
"The first thing is foundational. Make sure you've maximized your overall approach to reducing the risk of email-originated threats because a lot of the ransomware that makes it into an organization is still coming through that vector," Van Booven said. "People still click on links in suspicious emails — it's human nature — so a base level of security awareness training should be part of planning there."
Are you currently affected by ransomware? Contact us now and learn how we can help.
Van Booven added that it is vital to have an advanced EDR tool installed on the endpoint in case a worker clicks on a malicious link, which is likely bound to happen at some point. Also, he added, make sure systems are up to date and patched, and an EDR tool is on every device.
"We've responded to a lot of incidents where even environments that have had an EDR solution rollout have still gotten compromised because they didn't install the EDR tool everywhere," Van Booven said. "Without a full implementation, machines without EDR were being impacted. But, as mentioned before, a focus on endpoint protection, patching, and email-originated threat detection is only part of the picture."