The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint warning about BlackMatter, a relatively new ransomware operation that has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations in the last few months.
Active since July 2021, the ransomware operation is thought to be a rebrand of the DarkSide RaaS that shut down after the attack that crippled the Colonial Pipeline, the largest pipeline system for refined oil products in the U.S.
BlackMatter ransomware operators have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero, the three agencies said.
The new security advisory provides details on how the BlackMatter ransomware gang operates, including tactics, techniques, and procedures (TTPs), as well as detection signatures and mitigations to help identify and block network activity associated with the threat.
“Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found,” the advisory said.
“BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.”
CISA, the FBI, and NSA have also released a set of additional mitigations for critical infrastructure organizations to help them reduce the risk of credential compromise.
Disable the storage of clear text passwords in LSASS memory.
Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
Set a strong password policy for service accounts.
Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.