FBI, CISA, NSA published a joint advisory on BlackMatter ransomware operations

FBI, CISA, NSA have published a joint advisory about the operation of the BlackMatter ransomware gang and provides defense recommendations.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.

This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.

The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.

The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.

BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform. 

BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

The sample analyzed by the researchers allowed them to discover that the ransomware operators used compromised administrator credentials to discover all the hosts in the victim’s Active Directory. In order to list all accessible network shares for each host the malicious code used Microsoft Remote Procedure Call (MSRPC) function (srvsvc.NetShareEnumAll) that allowed listing all accessible network shares for each host.

“The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.” reads the joint alert. “Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.”

BlackMatter operators use a separate encryption binary for Linux-based machines that can encrypt ESXi virtual machines. The experts noticed that BlackMatter operators wipe or reformat backup data stores and appliances instead of encrypting backup systems.

The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.

CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:

• Implement Detection Signatures;
• Use Strong Passwords;
• Implement Multi-Factor Authentication;
• Patch and Update Systems;
• Limit Access to Resources over the Network;
• Implement Network Segmentation and Traversal Monitoring;
• Use Admin Disabling Tools to Support Identity and Privileged Access Management;
• Implement and Enforce Backup and Restoration Policies and Procedures;

The US agencies also urge critical infrastructure organizations to apply the following additional mitigations:

• Disable the storage of clear text passwords in LSASS memory.
• Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
• Implement Credential Guard for Windows 10 and Server 2016, enable Protected Process Light for Local Security Authority (LSA).
• Minimize the AD attack surface

The alert also provides the following recommendations for responding to ransomware attacks:

• Following the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
• Scanning backups.
• Reporting incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service at a U.S. Secret Service Field Office.
• Applying incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackMatter ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]