BlackMatter Ransomware Players Targeting Critical Infrastructures


Federal authorities are warning that BlackMatter ransomware players have targeted critical infrastructure operators, including two food supply chain organizations, in recent months.

BlackMatter emerged over the summer, and officials from the Cybersecurity and Infrastructure Security Agency (CISA), FBI and NSA said on Monday that actors affiliated with the group had attacked various critical infrastructure organizations ( CI), using various tactics and techniques. The group targets not only Windows machines, but Linux servers as well, and have been observed erasing or reformatting backup systems to hamper recovery efforts. The group’s primary initial access technique is to use previously compromised built-in credentials for LDAP and SMB to subsequently access Active Directory. From there, the actors enumerate all the machines on the network and encrypt them.

“The BlackMatter variant uses built-in administrator or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the credentials built into the LDAP and SMB protocols to discover all hosts in the AD, and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares, ”the report says. opinion.

Notably, this variant of BlackMatter leverages built-in credentials and the SMB protocol to remotely encrypt, from the original compromised host, the content of all shares discovered, including ADMIN $, C $, SYSVOL and NETLOGON.

Once an actor has access to Active Directory, all bets are off.

BlackMatter is a newer ransomware-as-a-service (RaaS) operation and researchers believe it is likely the older DarkSide operation with a different name. The DarkSide actors were responsible for the attack on the Colonial Pipeline earlier this year, an intrusion that caught the attention of the White House. Although the company paid a hefty ransom, the FBI ultimately recovered around $ 2.3 million by tracing the payment to a specific Bitcoin wallet and then identifying the computer that wallet was on.

“The old adage, follow the money still applies. When they target critical infrastructure, we will spare no effort in our response. Today we have turned the tide on DarkSide by attacking the entire ecosystem that powers this and we will continue to increase the cost of doing business for these attackers, ”Deputy Attorney General Lisa Monaco said in June.

Ransomware groups have systematically targeted CI entities and operators for about a year, attacking food supply chain organizations, water treatment operators, power grid operators and industry organizations Energy. Last week, CISA warned that ransomware players had successfully compromised at least three sanitation system operators over the past year, including facilities in Maine, Nevada and California.

“This activity, which includes attempts to compromise the integrity of the system through unauthorized access, threatens the ability of WWS facilities to provide clean, potable water to their communities and to effectively manage their communities’ wastewater.” , indicates the notice.

BlackMatter players seem to be following a similar manual, targeting organizations in the CI sectors. When successful, these attacks can generate large and fast ransom payments, as operators cannot afford to take their systems offline. But they also tend to be loud and get the immediate attention of law enforcement agencies and federal officials, which is not optimal for criminal organizations.

“Since July 2021, BlackMatter ransomware has targeted several US critical infrastructure entities, including two organizations in the US food and agriculture industry,” the new advisory states.

“Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services. “

Source link


Leave A Reply