The US authorities have released more details on emerging ransomware group BlackMatter, which it says has already targeted multiple critical infrastructure providers in the country.
The alert comes from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA).
The ransomware-as-a-service (RaaS) operation appeared in July. It has been suggested that it may have links to the DarkSide group that came under pressure from Washington after the Colonial Pipeline attack. That group subsequently disappeared.
BlackMatter is said to eschew healthcare, NGO, government, oil and gas and other critical infrastructure sectors. However, last month it targeted a US grain producer, which claimed to play a key role in the US food supply chain. New Cooperative was hit with a $5.9m ransom at that time.
Demanding payments of up to $15m from its victims, BlackMatter has been observed using remote monitoring and desktop software to achieve persistence. It may also use previously compromised credentials embedded in LDAP and SMB to access Active Directory and discover all hosts on the network, the alert noted.
Data exfiltration is attempted over the web, and SMB is used to encrypt shares remotely. There’s also a warning that BlackMatter may wipe backup stores rather than encrypt them as most variants do.
The group is also known for encrypting VMware ESXi virtual machines with a separate Linux-based binary.
The alert lists a series of best practice mitigations: including good password management and multi-factor authentication (MFA), regular patching, network segmentation, and implementing the Snort detection signatures listed in the document.
The US agencies also recommended organizations limit access to network resources, enforce the principle of least privilege in identity and access management, and enforce best practice backup and restoration policies.