US Gov warns of BlackMatter attacks against critical infrastructure

The US Government has issued an alert to organisations about the threat posed by the BlackMatter ransomware group.

The government’s Cybersecurity & Infrastructure Security Agency (better known as CISA) issued the advisory earlier this week, following a series of BlackMatter ransomware attacks since July 2021 targeting US critical infrastructure, including two American organisations working in the food and agriculture sector.

The BlackMatter ransomware, which came to prominence earlier this year following the demise of the notorious REvil and DarkSide ransomware gangs, is a ransomware-as-a-service (RaaS) operation that provides other cybercriminals with the technology needed to exfiltrate information from corporations, encrypt their data, and demand a costly ransom.

BlackMatter ransom demand

Effectively this means that the BlackMatter ransomware is not just in the hands of sophisticated cybercriminals, but also less-technical groups and individuals who may not normally have the skillset to pull off such an attack.

As the alert explains, BlackMatter uses previously-compromised usernames and passwords to spread across compromised networks, remotely encrypting computers and shared drives as they are found before ultimately demanding a ransom payment is made in cryptocurrency.

Readme
BlackMatter ransom README file

Law enforcement agencies, according to the CISA alert, are advising that all organisations take steps to harden their defences and reduce the chance of a successful infection by the BlackMatter ransomware:

“Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.”

Amongst the detailed advice included in the alert on how to protect against the BlackMatter ransomware and mitigate the threat are the following suggestions:

  • Implement and enforce backup and restoration policies and procedures.
  • Use strong, unique passwords.
  • Use multi-factor authentication.
  • Implement network segmentation and traversal monitoring.

CISA says out that BlackMatter actors have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero, and points out that alongside the NSA and FBI it strongly discourages ransom payments because it encourages others to engage in ransomware attacks, and does not guarantee files will be recovered.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.