FBI, NSA Warn Cybersecurity Experts of Impending BlackMatter Ransomware Attacks

U.S. federal security bodies have published a joint advisory for cybersecurity experts, warning of the inevitability of a slew of new ransomware attacks from black hat hacking group BlackMatter - itself born from the ashes of the infamous DarkSide group. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) are the three agencies involved in the joint advisory, which follows months of scrutiny and investigation surrounding the black hat hacker group. The agencies consider the signs of impending activity to be strong enough that they felt the urge to recommend that businesses bolster their cybersecurity defenses - particularly those tied to user credentials, password security, and multi-factor authentication (MFA).

BlackMatter stands as the result of a regrouping of members previously involved with DarkSide, the infamous hacker group that shuttered operations in May of this year. BlackMatter, like the Desorden hacking group (who have recently attacked Acer), seems to favor attacks on supply-chain players, escalating the repercussions and chaos of their attacks through multiple endpoints. Since it started operating under the new name, BlackMatter has already attacked numerous U.S. critical infrastructure organizations including two U.S. Food and Agriculture Sector cooperatives, as well as private companies such as Olympus.

As has increasingly become the trend ever since their inception, cryptocurrencies are a part of the ransomware workflow: "Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services,” the advisory reads. “BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.”

The advisory goes further into details on BlackMatter's ransomware operationalization, which is where cybersecurity considerations for potential targets have been derived from. Deploying a sample of BlackMatter's ransomware in a secure, investigative environment, the agencies underline the sophistication of BlackMatter's approach, which allows them to attack both Windows and Linux environments, and even ESXi-based virtual machines - effectively covering all but the more exotic bases of information security.

The joint advisory also sheds light on the destructive approach taken by BlackMatter on ensuring the maximum impact of their ransomware: “Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances,” reads the advisory. BlackMatter hackers “use system and network discovery techniques for network and system visibility and mapping,” according to the advisory. “To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques.” 

Suggestions to mitigate vulnerabilities include segmentation of networks (instead of the centralized network approach that has been historically favored for ease of use and control capabilities), as well as the deployment and operation of network monitoring tools so as to identify the network traversal of ransomware. The agencies further provided detection signatures for BlackMatter so that cybersecurity specialists can pre-emptively investigate traces of the group's ransomware on their managed systems.