CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

CISA and FBI Issue Alert for BlackMatter Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert this week warning organizations to be on the lookout for the BlackMatter ransomware-as-a-service (RaaS) tool.

"RaaS is definitely indicative of how ransomware has changed over the year. We've seen ransomware mature as a criminal tool. It's gone from an opportunistic net sweeping up individual victims to a regular tool in carefully targeted exploitation attacking larger organizations," said Karl Sigler, senior security research manager at Trustwave.

BlackMatter ransomware was first spotted in July and is most likely a rebrand of the DarkSide ransomware-as-a-service variant. It has been used in numerous attacks on U.S.-based organizations, generally demanding ransom payments ranging from $80,000 to $15 million in Bitcoin and Monero.

"Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found," the federal alert said.

Sigler added: "While there is a lot of additional work in properly targeting any organization, the payouts are big enough to make it worthwhile. RaaS reminds me of the rise of exploit kits-as-a-service that we saw back about five years ago. It just further shows that there is so much money to be made through ransomware that it can support a full business model."

The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center issued a similar alert on BlackMatter in early September.

A successful attack will see BlackMatter remotely encrypt a victim's shared drives via SMB protocol and drop a ransomware note in each directory. Additionally, the alert said that the malware attempts to exfiltrate data as part of its extortion strategy, and the malware has a disk wipe capability that wipe backup systems.

Tactics, Techniques, and Procedures

BlackMatter gains initial entry using previously compromised admin or user credentials and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively, the alert said. The credentials are harvested from Local Security Authority Subsystem Service (LSASS) memory using Microsoft’s Process Monitor, an advanced monitoring tool for Windows that shows real-time file system, registry, and process/thread activity.

"BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares' contents, including ADMIN$, C$, SYSVOL, and NETLOGON," the CISA/FBIalert said.

Additionally, the CISA and FBI alert noted, BlackMatter maintains persistence by leveraging legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.

BlackMatter Attacks

BlackMatter's RaaS operation uses the continuously evolving extortion model to force victims to pay the ransom demand. In several of the gang's most recent attacks, it has used what is called "quadruple extortion."

This method sees the gang not only crypto-locking files and stealing data but then threatening to release the information publicly or sell the stolen data to a competitor. The attacker also threatens the victims with having their data exposed publicly if they contact law enforcement, data recovery experts, or negotiators.

The BlackMatter gang has launched several recent high-profile attacks, including attacks against the farming co-op NEW Cooperative Inc. where BlackMatter demanded a $5.9 million ransom and an attack against Marketron Broadcast Solutions' marketing firm in September. Additionally, in October, BlackMatter also hit the camera maker Olympus.

Analysts believe BlackMatter is a rebranded version of the DarkSide ransomware gang, which targeted Colonial Pipeline Co. in May and disrupted fuel deliveries along the U.S. East Coast. DarkSide itself went dark for a few months, possibly in response to the extensive law enforcement attention drawn in by the Colonial Pipeline attack.

Defending Against BlackMatter

Sigler noted that an organization can successfully defend itself against BlackMatter.

"So far as defense advice, correct, existing proactive advice would help limit the damage incurred by a ransomware infection," Sigler said.

Darren Van Booven, lead principal consultant at Trustwave and former CISO of the U.S. House of Representatives, said in a recent Trustwave ransomware blog that covering the basics is the first step.

"The first thing is foundational. Make sure you've maximized your overall approach to reducing the risk of email-originated threats because a lot of the ransomware that makes it into an organization is still coming through that vector," Van Booven said. "People still click on links in suspicious emails — it's human nature — so a base level of security awareness training should be part of planning there."

Van Booven added that it is vital to have an advanced EDR tool installed on the endpoint in case a worker clicks on a malicious link, which is likely bound to happen at some point. Also, he added, make sure systems are up to date and patched, and an EDR tool is on every device.

"We've responded to a lot of incidents where even environments that have had an EDR solution rollout have still gotten compromised because they didn't install the EDR tool everywhere," Van Booven said. "Without a full implementation, machines without EDR were being impacted. But, as mentioned before, a focus on endpoint protection, patching, and email-originated threat detection is only part of the picture."

Latest Trustwave Blogs

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More

Law Enforcement Must Keep up the Pressure on Cybergangs

The (apparent) takedown of major ransomware players like Blackcat/ALPHV and LockBit and the threat groups’ (apparent) revival is a prime example of the Whack-a-Mole nature of combating ransomware...

Read More