BlackMatter ransomware has targeted the U.S. Food and Agriculture sector since July 2021. In a joint cybersecurity advisory, the CISA, FBI and NSA described the BlackMatter ransomware threat, and key steps that MSSPs and cybersecurity professionals can take to mitigate the malware.
Among the twists to note, the advisory said BlackMatter is a possible rebrand of DarkSide, a RaaS (Ransomware as a Service) that was active from September 2020 through May 2021. The BlackMatter actors have demanded ransom payments ranging from $80,000 to $15 million in Bitcoin and Monero, the cybersecurity advisory noted.
Those signatures “will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours,” the advisory said.
2. Use Strong Passwords: Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to havestrong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account, the advisory said.
3. Require multi-factor authenticationfor all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems, the advisory said.
4. Patch and Update Systems to keep all operating systems and software up to date, the advisory recommended.
5. Limit Access to Resources over the Network: For instance,
Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity, the advisory said.
Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines, the advisory added.
6. Implement Network Segmentation and Traversal Monitoring: Adversaries use system and network discovery techniques for network and system visibility and mapping, the advisory said. To limit that threat, the advisory recommended:
Segment networks to prevent the spread of ransomware and restrict adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. Endpoint detection and response (EDR) in this area, the advisory noted.
7. Use Admin Disabling Tools to Support Identity and Privileged Access Management (PAM): If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected, the advisory observed. With that risk in mind, the advisory recommended that readers:
Implement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion, the advisory stated.
Disable command-line and scripting activities and permissions, which threat actors often leverage.
8. Implement and Enforce Backup and Restoration Policies and Procedures: That includes sets to…
Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom demand.
Ensure all backup data isencrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure, the advisory said.
Additional Security Steps for Critical Infrastructure Organizations
Critical infrastructure organizations should following additional mitigations to reduce the risk of credential compromise, the advisory said:
9. Disable the storage of clear text passwords in LSASS memory.
10. Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
12. Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
Set a strong password policy for service accounts.
Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.