CISA, FBI, NSA Issue Advisory on BlackMatter Ransomware

Red Combine Harvesting Wheat Crops in a Large Field

U.S. security agencies have issued a joint advisory on BlackMatter Ransomware, which has attacked a number of critical infrastructure organizations, including two entities in the U.S. food and agriculture sector. The advisory also warns of imminent future ransomware attacks by BlackMatter.

The advisory was issued by three federal security bodies: the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).

The United States and its federal agencies have taken an offensive stance on ransomware in recent months. Last month, the U.S. Treasury announced a series of measures to counter the growing number of ransomware attacks. The FBI has actively warned critical sectors, such as healthcare and agriculture, of imminent cyber threats.

What is the BlackMatter Group?

BlackMatter is a hacking group consisting of members who were previously associated with DarkSide, the group responsible for the cyberattack on the Colonial Pipeline. The group appears to target supply-chain players and is known to aggravate their attacks through multiple endpoints.

The advisory claims that the group is behind two attacks on the U.S. Food and Agriculture Sector. Last month, the group targeted Olympus’ EMEA IT systems.

Furthermore, the group is known to demand ransoms in cryptocurrencies. According to the advisory, “BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.”

Advisory Says BlackMatter Can Attack Both Windows and Linux Environments

The advisory provides details on the ransomware operationalization based on a controlled test. This gives information about the cybersecurity requirements and other details for potential targets.

The agencies deployed a sample of the ransomware in a secure environment and found that it can attack both Windows and Linux environments. The ransomware can also breach ESXI-based virtual machines. The advisory concludes that BlackMatter effectively covers “all but the more exotic bases of information security.”

Agencies Provide Mitigation Steps to Network Defenders

The advisory provides network defenders with a list of measures to reduce the risk of compromise from ransomware. It adds that these measures are especially important for critical infrastructure organization.

The mitigation steps include:

  • Implement detection signatures that will identify and block the placement of the ransom note and consequently block additional Server Message Block traffic
  • Utilize strong passwords
  • Use multi-factor authentication
  • Patch and update systems in a timely manner
  • Limit access to resources, such as administrative access, to necessary personnel
  • Segment networks and implement traversal monitoring
  • Use admin disabling tools, such as time-based access for admin-level and higher accounts
  • Implement and enforce backup and restoration rules and guidelines
Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.