BlackMatter Ransomware Group Targeting Agriculture Companies
BlackMatter, founded in July 2021, is linked to the ransomware group DarkSide, which attacked Colonial Pipeline Co. earlier this year, triggering fuel shortages along the East Coast. The group targets companies with revenue of $100 million or more and has 500 to 15,000 hosts on their network. BlackMatter is a ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates such as BlackMatter actors who deploy it against victims.
BlackMatter actors have attacked numerous US-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Monero and Bitcoin. The BlackMatter group claims that it doesn’t attack “critical infrastructure,” including hospitals, nuclear power plants, water treatment facilities, oil pipelines and refineries, the defense industry, nonprofit companies, and the government sector, but those purchasing the RaaS don’t necessarily follow that rule.
Since its inception, BlackMatter ransomware has targeted multiple US critical infrastructure entities, including two US food and agriculture sector organizations. The BlackMatter group has been credited for the ransomware attack against a major Iowa-based agriculture services provider, New Cooperative. The group demanded a $5.9 million ransom for the company’s sensitive employee information, legal and executive info, source code for the Soilmap project, financial info, network information, R&D results, and more.
Because of the recent attacks, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) recently put out a joint advisory warning about critical infrastructure groups, particularly agricultural organizations, being targeted by BlackMatter ransomware.
BlackMatter Tactics
BlackMatter leverages legitimate remote desktop software and remote monitoring and management software, often by setting up trial accounts, maintaining persistence on victim networks, and harvesting credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
It then leverages the Server Message Block (SMB) protocol and Lightweight Directory Access Protocol (LDAP) to access the Active Directory (AD) to discover all hosts on the network and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.
This variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt all discovered shares’ contents from the original compromised host, including ADMIN$, C$, SYSVOL, and NETLOGON. BlackMatter actors often use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
How to Protect Your Company Against BlackMatter Ransomware
Ransomware attacks can be costly to mitigate, and they can disrupt business-critical services. Here are a few mitigations you can take to protect your organization from a BlackMatter attack.
- Use strong and unique passwords: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account. Don’t reuse passwords across multiple accounts or store them on a system where an adversary may gain access.
- Implement and require Multi-Factor Authentication (MFA), especially for accounts that access critical systems, webmail, and virtual private networks.
- Patch and update: Ensure all operating systems and software are up to date – timely patching is one of the cost-effective and highly efficient ways to minimize exposure to ransomware threats.
- Limit access to resources over the network: Restrict unnecessary access to administrative shares, limit privileges to only the necessary user accounts or services and perform continuous monitoring for suspicious activity. You should also use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
- Implement network segmentation and traversal monitoring: This will hinder an adversary from learning the organization’s enterprise environment. Most attackers use system and network discovery techniques for network and system visibility mapping.
- Implement and enforce backup and restoration policies and procedures: Ensure your backups are recent, cannot be deleted or altered, and cover the entire organization’s data infrastructure.
- Implement time-based access for accounts set at the admin level and higher: BlackMatter threat actors often use compromised credentials after business hours, which allows them to go undetected for longer periods.
Alvarez Technology Group provides comprehensive cybersecurity services that can help protect your organization from BlackMatter ransomware attacks and other cyberattacks that could compromise your networks and crucial company data. Contact us to schedule a consultation and discover how we can help keep your company data secure.
