Following the 2021 cyberattack on Colonial Pipeline that caused a nationwide supply-chain disruption, numerous cybersecurity companies and federal agencies increased their efforts to find and shut down ransomware groups and curb the rise of cyberattacks.
Those efforts have resulted in the shutdown of ransomware-as-a-Service (RaaS) groups such as DarkSide and REvil, which had been targeting critical infrastructure including healthcare providers of financial systems.
Alas, now new cybercriminals are taking their place.
This is the case of BlackMatter, a hacker group that sought to fill the gap created by the shutdown of other cybercrime groups. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert about “BlackMatter Ransomware” malware.
Some security researchers believe BlackMatter may be a rebranding of DarkSide ransomware due to its similarities in style and execution. Regardless, the cybersecurity community is clearly dealing with a cyber threat that is constantly evolving to make detection and analysis of the code more difficult.
What Is the Purpose of BlackMatter Ransomware?
BlackMatter has followed the trend of other ransomware-as-a-service (RaaS) models that have targeted universities, healthcare facilities, and other critical infrastructures worldwide. The goal of BlackMatter actors is simple: to encrypt a group of data and ask for a ransom payment in exchange for the decryption. Unlike traditional ransomware schemes, however, this model also extracts the information contained within the victim networks as an extortion tool by the ransomware gang to request a larger sum of money.
After finishing the encryption and data extraction process, the threat actors communicate to the victim through a ransom note that takes them to a .onion site, to maintain communications with the victims and negotiate the ransom payment via cryptocurrency (commonly Bitcoin or Monero).
Is BlackMatter Ransomware a Threat?
The joint advisory alert AA21-291A from the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) explained the tactics, techniques, and procedures (TTPs) that BlackMatter uses to infect its targets. Critical infrastructure is especially at risk, specifically the food and agriculture sector.
In September, the agricultural company NEW Cooperative was attacked by the BlackMatter group, who demanded a payment of $5.9 million for the recovery and protection of more than a terabyte of company data. According to security experts, the group gained access to the network through leaked and unsecured passwords, similar to the Colonial Pipeline case.
The main threat of BlackMatter ransomware resembles other RaaS, by risking the loss of all data on infected devices and networks, along with the reputational damage of a data breach. Threat actors leverage both of these risks to push businesses into making the ransom payment.
At the end of October, the BlackMatter group announced via its RaaS portal that it would be shutting down its operations due to pressure from law enforcement authorities, following the announcement of a collaboration between U.S. and Russian authorities to hunt cyberterrorist groups.
This does not mean that BlackMatter is no longer a threat to companies. Unfortunately, as in the case of DarkSide, it may only be a matter of time before these groups resurface with a new facade to restart their malicious activities.
Can Ransomware Infected Files be Recovered?
Like all ransomware, BlackMatter ransomware encryption can be reversed by using the key provided by threat actors after the ransom demand has been met. That said, paying a ransom is a leap of faith. There is no way to ensure that a group of cybercriminals will hand over the key after payment is completed and will not choose to take the extortion scheme even further.
Law enforcement authorities do not recommend paying ransoms. In addition to the risk that you won’t get the promised encryption key, a ransom payment only encourages malicious actors to expand their business model and target more companies.
In the case of BlackMatter ransomware, there was a temporary solution. The cybersecurity company Emsisoft released a decryptor for the first versions of BlackMatter ransomware, which could reverse the effects for infections between July and September 2021. The latest versions of BlackMatter have now been patched, rendering Emsisoft’s solution useless.
The last alternative, recovery via backups and restoration policies, can help to counteract the effects of BlackMatter and any other ransomware. Robust backup systems should be regularly maintained and adequately protected against targeted attacks by infected devices.
How Can I Mitigate the Threat from BlackMatter Ransomware?
In the joint advisory AA21-291A from CISA, NSA, and the FBI, they present a series of recommendations for ransomware risk management.
Detection Signature Implementation
In this context, a “signature” can be used to detect a single pattern of network traffic. Snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) to monitor network traffic and specific “signatures.” The joint advisory described a series of Snort signatures to detect and prevent the effects of BlackMatter ransomware.
Strong Authentication Practices
Fundamental cybersecurity practices are especially important considering the history of cyberattack causes in recent months, as both the Colonial Pipeline and NEW Cooperative attacks resulted from unsecured and weak passwords. Strong passwords and multi-factor authentication are essential risk mitigation measures for your organization.
Patching and Updating Systems
Keeping operating systems (OS) and software up-to-date is one of the most cost-effective measures to reduce the risk of cyberattacks by minimizing vulnerabilities already known to their developers. These are often one of the most common entry points for cyber threats.
Network Segmentation and Access Limitation Rules
While these measures do not minimize the risk of ransomware attacks, they reduce the harm of these threats by restricting the information and systems that a hacker could access when infecting a computer.
Network segmentation can prevent ransomware from spreading across multiple computers by controlling traffic between sub-networks and limiting lateral movement within the IT infrastructure. Likewise, implementing network traffic monitoring and endpoint detection and response (EDR) tools effectively identifies and blocks potential malicious connections.
Backup and Restoration Policies
Backups are the primary solution to ransomware attacks. They allow you to recover much of the encrypted data without giving in to the demands of threat actors.
Implementing offline, encrypted, and read-only backups assures that data is accessible, secure, and unchangeable in the event of a cyberattack. A proper backup prevents ransomware gangs from deleting or corrupting that data and allows you to recover your data infrastructure securely.
Identity and Privileged Access Management
Threat actors often evade malicious activity monitoring by using authorized credentials during non-business hours, especially holidays and weekends. Therefore, implement time-based access for admin accounts and zero-trust models. This limits access to a specific time frame necessary to complete the task. In addition, disable scripting permissions outside of business hours.
Protect Your Business from Ransomware with ZenGRC
Cybercriminals’ strategies and technology are constantly evolving. Your business needs to do the same to mitigate the risk of losing control of your systems and data to ransomware. ZenGRC can assist your business with enterprise risk management (ERM) and cybersecurity risk management.
ZenGRC is a simple, user-friendly tool for documenting risk assessments, maintaining track of your workflows, and providing insightful reporting to identify areas of high risk before they become a serious problem.
As a result, cybersecurity professionals and risk managers will be more effective at their jobs, and organizations will be better protected. Prioritize risks by generating a user-friendly dashboard that allows you to see at a glance the state of each risk and what has to be done to address it.
In addition, ZenGRC creates an audit trail of your risk management operations and keeps all of your paperwork in a “single source of truth” repository for quick retrieval during audits. It also enables self-audits, ensuring that you are constantly in tune with your organization’s risk management and compliance initiatives.
Schedule a demo to learn more about how ZenGRC can improve your cybersecurity and ransomware risk management.