ArchiveOODA OriginalSecurity and Resiliency

CISA, the FBI and the NSA release a Joint Cybersecurity Advisory on recent BlackMatter Ransomware Attacks

In a press briefing at the White House over the Labor Day weekend, White House deputy national security adviser Anne Neuberger reinforced a warning the FBI and CISA had released only days before, urging organizations to remain vigilant to ransomware threats on Holidays, including the Labor Day weekend.

While this weekend is not a holiday weekend,  the CISA, the FBI, and the NSA released another Joint Cybersecurity Advisory this week “to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.”

The advisory document provides the following description of their method for discovering the activity: “This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting.”

And a broad overview BlackMatter’s modus operandi for the attacks: “Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.”

The following is offered as a further overview of BlackMatter tactics:  “First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.”

Besides the specific mention in the advisory, additional reporting suggests that the BlackMatter ransomware threat is specifically aimed at the agricultural sector and food supply chain disruptions.

Full technical details can be found in the advisory:  Joint Cybersecurity Advisory – AA21-291A: BlackMatter Ransomware (

Further USG Ransomware Resources

Related Reading:

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.