BlackMatter ransomware has targeted the U.S. Food and Agriculture sector since July 2021. In a joint cybersecurity advisory, the CISA, FBI and NSA described the BlackMatter ransomware threat, and key steps that MSSPs and cybersecurity professionals can take to mitigate the malware.
Among the twists to note, the advisory said BlackMatter is a possible rebrand of DarkSide, a RaaS (Ransomware as a Service) that was active from September 2020 through May 2021. The BlackMatter actors have demanded ransom payments ranging from $80,000 to $15 million in Bitcoin and Monero, the cybersecurity advisory noted.
To drive down BlackMatter ransomware attack risks, the advisory recommended the following steps:
1. Implement the following detection signatures: The following Snort signatures may be used for detecting network activity associated with BlackMatter activity, the advisory said...
Intrusion Detection System Rule:
alert tcp any any -> any 445 ( msg:"BlackMatter remote encryption attempt"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )
Inline Intrusion Prevention System Rule:
alert tcp any any -> any 445 ( msg:"BlackMatter remote encryption attempt"; content:"|01 00 00 00 00 00 05 00 01 00|"; content:"|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|"; distance:100; priority:1; sid:10000001; )
rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400
Those signatures "will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours," the advisory said.
2. Use Strong Passwords: Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to havestrong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account, the advisory said.
3. Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems, the advisory said.
4. Patch and Update Systems to keep all operating systems and software up to date, the advisory recommended.
5. Limit Access to Resources over the Network: For instance,
- Remove unnecessary access to administrative shares, especially
ADMIN$andC$. IfADMIN$andC$are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity, the advisory said. - Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines, the advisory added.
6. Implement Network Segmentation and Traversal Monitoring: Adversaries use system and network discovery techniques for network and system visibility and mapping, the advisory said. To limit that threat, the advisory recommended:
- Segment networks to prevent the spread of ransomware and restrict adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. Endpoint detection and response (EDR) in this area, the advisory noted.
7. Use Admin Disabling Tools to Support Identity and Privileged Access Management (PAM): If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected, the advisory observed. With that risk in mind, the advisory recommended that readers:
- Implement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion, the advisory stated.
- Disable command-line and scripting activities and permissions, which threat actors often leverage.
8. Implement and Enforce Backup and Restoration Policies and Procedures: That includes sets to...
- Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom demand.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure, the advisory said.
Additional Security Steps for Critical Infrastructure Organizations
Critical infrastructure organizations should following additional mitigations to reduce the risk of credential compromise, the advisory said:
9. Disable the storage of clear text passwords in LSASS memory.
10. Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
11. Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
12. Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
- Set a strong password policy for service accounts.
- Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.
13. Industrial Control Systems/Operational Technology Security: Also, critical infrastructure organizations with industrial control systems/operational technology networks should review joint CISA-FBI Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks for more mitigations, including mitigations to reduce the risk of severe business or functional degradation should their entity fall victim to a ransomware attack, the advisory said.
Responding to Ransomware Attacks
If a ransomware incident occurs at your organization, then the CISA, FBI, and NSA recommend:
- Following the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scanning backups. If possible, scan backup data with an antivirus program to check that it is free of malware.
- Reporting incidents immediately to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the U.S. Secret Service at a U.S. Secret Service Field Office.
- Applying incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.
