CISA, the FBI and the NSA release a Joint Cybersecurity Advisory on recent BlackMatter Ransomware Attacks
In a press briefing at the White House over the Labor Day weekend, White House deputy national security adviser Anne Neuberger reinforced a warning the FBI and CISA had released only days before, urging organizations to remain vigilant to ransomware threats on Holidays, including the Labor Day weekend.
While this weekend is not a holiday weekend, the CISA, the FBI, and the NSA released another Joint Cybersecurity Advisory this week “to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.”
The advisory document provides the following description of their method for discovering the activity: “This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting.”
And a broad overview BlackMatter’s modus operandi for the attacks: “Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.”
The following is offered as a further overview of BlackMatter tactics: “First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.”
Besides the specific mention in the advisory, additional reporting suggests that the BlackMatter ransomware threat is specifically aimed at the agricultural sector and food supply chain disruptions.
Full technical details can be found in the advisory: Joint Cybersecurity Advisory – AA21-291A: BlackMatter Ransomware (cisa.gov)
Further USG Ransomware Resources
- Techniques – Enterprise | MITRE ATT&CK®
- Victims of ransomware should report it immediately to CISA: https://us-cert.cisa.gov/report
The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Ransomware Guide
Bad Practices | CISA
National Checklist Program | NIST
Domain security best practices | .gov (dotgov.gov)
Performance.gov/data (Beta) | Performance.gov
Technical Approaches to Uncovering and Remediating Malicious Activity | CISA
Cyber Hygiene Services | CISA
CISA, Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) Joint Cybersecurity Advisory on Ransomware Activity Targeting the Healthcare and Public Health Sector
CISA, FBI, DHS Homeland Security Investigations, and U.S. Secret Service recorded video discussion on Trends and Predictions in Ransomware from the 2020 CISA National Cybersecurity Summit.
CISA Fact Sheet on Cyber Threats to K-12 Remote Learning Education for non-technical educational professionals with contributions from the FBI.
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking