_Actions You Can Take Now to Protect Against BlackMatter Ransomware
• Implement and enforce backup and restoration policies and procedures._
• Use strong, unique passwords.
• Use multi-factor authentication.
• Implement network segmentation and traversal monitoring.
Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques.
This joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide information on BlackMatter ransomware. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.
This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.
Click here for a PDF version of this report.
First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256: 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
. (Note: click here to see the sample’s page on VirusTotal.)
The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation
and EnumServicesStatusExW
to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll
Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$
, C$
, SYSVOL
, and NETLOGON
.
BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
Table 1 maps BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting.
Table 1: Black Matter Actors and Ransomware TTPs
Tactic
|
Technique
|
Procedure
—|—|—
Persistence [TA0003]
|
External Remote Services [T1133]
|
BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
Credential Access [TA0006]
|
OS Credential Dumping: LSASS Memory [T1003.001]
|
BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
Discovery [TA0007]
|
Remote System Discovery [T1018]
|
BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD.
Process Discovery [T1057]
|
BlackMatter uses NtQuerySystemInformation
to enumerate running processes.
System Service Discovery [T1007]
|
BlackMatter uses EnumServicesStatusExW
to enumerate running services on the network.
Lateral Movement [TA0008]
|
Remote Services: SMB/Windows Admin Shares [T1021.002]
|
BlackMatter uses srvsvc.NetShareEnumAll
MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$
, C$
, SYSVOL
, and NETLOGON
.
Exfiltration [TA0010]
|
Exfiltration Over Web Service [T1567]
|
BlackMatter attempts to exfiltrate data for extortion.
Impact [TA0040]
|
Data Encrypted for Impact [T1486]
|
BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
Disk Wipe [T1561]
|
BlackMatter may wipe backup systems.
The following Snort signatures may be used for detecting network activity associated with BlackMatter activity.
Intrusion Detection System Rule:
alert tcp any any -> any 445 ( msg:"BlackMatter remote encryption attempt"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )
Inline Intrusion Prevention System Rule:
alert tcp any any -> any 445 ( msg:"BlackMatter remote encryption attempt"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; priority:1; sid:10000001; )
rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400
CISA, the FBI, and NSA urge network defenders, especially for critical infrastructure organizations, to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
ADMIN$
and C$
. If ADMIN$
and C$
are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions.
If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected. Given that there has been an observed increase in ransomware attacks during non-business hours, especially holidays and weekends, CISA, the FBI, and NSA recommend organizations:
CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise.
Refer to the CISA-Multi-State information and Sharing Center (MS-ISAC) Joint Ransomware Guide for general mitigations to prepare for and reduce the risk of compromise by ransomware attacks.
Note: critical infrastructure organizations with industrial control systems/operational technology networks should review joint CISA-FBI Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more mitigations, including mitigations to reduce the risk of severe business or functional degradation should their entity fall victim to a ransomware attack.
If a ransomware incident occurs at your organization, CISA, the FBI, and NSA recommend:
**Note:**CISA, the FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.
Victims of ransomware should report it immediately to CISA at us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact the NSA Cybersecurity Requirements Center at 410-854-4200 or [email protected].
This document was developed by CISA, the FBI, and NSA in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.
**Note:**the information you have accessed is being provided “as is” for informational purposes only. CISA, the FBI, and NSA do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA, the FBI, or NSA.
October 18, 2021: Initial Version
www.secretservice.gov/contact/field-offices/
www.secretservice.gov/contact/field-offices/
attack.mitre.org/techniques/T1057
attack.mitre.org/versions/v9/tactics/TA0003/
attack.mitre.org/versions/v9/tactics/TA0006/
attack.mitre.org/versions/v9/tactics/TA0007/
attack.mitre.org/versions/v9/tactics/TA0008/
attack.mitre.org/versions/v9/tactics/TA0010/
attack.mitre.org/versions/v9/tactics/TA0040/
attack.mitre.org/versions/v9/techniques/enterprise/
attack.mitre.org/versions/v9/techniques/T1003/001/
attack.mitre.org/versions/v9/techniques/T1007/
attack.mitre.org/versions/v9/techniques/T1018/
attack.mitre.org/versions/v9/techniques/T1021/002/
attack.mitre.org/versions/v9/techniques/T1133/
attack.mitre.org/versions/v9/techniques/T1486/
attack.mitre.org/versions/v9/techniques/T1561/
attack.mitre.org/versions/v9/techniques/T1567/
docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
github.com/cisagov/cset/releases/tag/v10.3.0.0
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=BlackMatter%20Ransomware%20+https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/ncas/alerts/aa21-131a
us-cert.cisa.gov/ncas/alerts/aa21-243a
us-cert.cisa.gov/ncas/tips/ST04-002
us-cert.cisa.gov/ncas/tips/ST05-012
us-cert.cisa.gov/ncas/tips/ST05-012
us-cert.cisa.gov/report
us-cert.cisa.gov/report
www.cisa.gov/cyber-hygiene-services
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf
www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C_.pdf
www.cisa.gov/stopransomware/
www.cyberark.com/what-is/just-in-time-access/#:~:text=JIT%20Access%20Explained%20Using%20the%20just-in-time%20%28JIT%29%20access,system%20in%20order%20to%20perform%20a%20necessary%20task
www.dataversity.net/how-to-survive-a-ransomware-attack-five-backup-best-practices/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a&title=BlackMatter%20Ransomware%20
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a
www.us-cert.cisa.gov/ncas/tips/ST04-002
www.us-cert.cisa.gov/ncas/tips/ST04-002
www.usa.gov/
www.virustotal.com/gui/file/706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=BlackMatter%20Ransomware%20&body=www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a