The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) issued a combined advisory this week to warn enterprises about the BlackMatter ransomware gang’s growing danger.
BlackMatter, which has been active since July 2021, is thought to be the successor to DarkSide, a ransomware-as-a-service (RaaS) that stopped operating in May 2021. DarkSide was the mastermind behind a slew of high-profile ransomware assaults.
The BlackMatter ransomware has already attacked many vital infrastructure groups in the United States, including two organisations in the food and agriculture sector, according to the joint advisory.
In a typical BlackMatter attack, ransomware operators utilise compromised credentials to infiltrate an organization’s Active Directory (AD) and compromise all hosts and shared drives on the network by abusing the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocols.
“BlackMatter actors encrypt ESXi virtual machines using a different encryption binary for Linux-based machines. BlackMatter actors delete or reformat backup data stores and appliances rather than encrypting backup systems, according to the agencies.
Threat actors employ legitimate tools and attacker-created identities to get remote, persistent access to the compromised environment, and they also try to take data from victims to use for extortion.
Organizations of all types are advised to use detection signatures, use strong passwords on all accounts, implement multi-factor authentication, keep systems updated, restrict user access to resources, and use firewalls and network segmentation to mitigate the threat posed by BlackMatter and other ransomware families.
In addition to developing a ransomware response plan, network administrators should maintain all data backed up offline and ensure that backups are encrypted, as well as implement technologies to detect odd activity inside their settings.