WHAT IS BLACKMATTER?
You can think of BlackMatter as an IT organization providing ransomware tools to cyberattackers. It is a ‘Big Game Hunter’ ransomware-as-a-service (RaaS) operation that gives the necessary technology required to extract information, encrypts data, brings down servers, and demand ransom from targeted organizations.
It was initially witnessed in mid-2021 (July) as the platform for ransomware developers to benefit from cybercriminals who would use the software to deploy ransomware attacks against victims.
It is also considered to be DarkSide’s rebrand, which was active until May 2021, just before BlackMatter was found. Several adversaries have attacked multiple U.S. organizations using this RaaS operation and have received ransom from USD 80,000 – USD 15,000,000 in cryptocurrencies.
TECHNIQUES, TACTICS & PROCEDURES USED BY BLACKMATTER
As per the joint advisory released by CISA, FBI, and NSA, BlackMatter ransomware sample running in a sandbox environment provides below cyber actor TTPs used by it:
The studied variant was using previously compromised embedded credentials of both admins and users. It was further using NtQuerySystemInformation to enumerate currently active processes and EnumServicesStatusExW for listing services. The variant was then using the credentials in the LDAP and SMB protocol to find all the hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function was used to list each host for shares that can be accessed. What’s seeking our attention is that this variant uses the login information and SMB protocol to remotely encrypt everything from the compromised host to all discovered shares’ contents, including ADMIN$, NETLOGON, C$, and SYSVOL.
The BlackMatter adversaries use unique binary encryption for Linux machines and standard encryption for ESXi virtual machines. Also, while most adversaries encrypt backup systems, the users of this ransomware eliminate or tweak the backup data.
The table below maps the above-mentioned TTPs of BlackMatter to the MITRE ATT&CK to develop a secure Enterprise framework based on the studied variant.
HOW TO MITIGATE BLACKMATTER RANSOMWARE
Listed below are a few mitigation options that can help reduce the risks of attacks.
- Enforce Multi-Factor Authentication (MFA) wherever possible.
Multi-factor authentication requires providing two or multiple verification factors to access the shared hosts or any other resources. Thus, enforcing multi-factor authentication serves as the second line of defense to protect your servers from BlackMatter actors.
- Using Extremely Strong Passwords.
This old-school method is still one of the strongest defenses against any cyberattack. You can mandate strong and unique passwords with different combinations for each account that requires logging in for access. For instance, you can have a combination of alpha-numeric codes with at least one upper, lower, and special character along with numbers. Also, ensure that these passwords are unique for all accounts and are not reused. Don’t store the passwords on any systems that can be exploited and accessed by adversaries.
- Employ Patch Management processes on externally facing appliances such as VPNs.
Software bugs are the easiest vulnerable spots for attackers. Hence, it is essential to have a timely patch management process to help update, fix, and improve patches.
- Keep backup plans well maintained and operational.
If the servers are down due to any attack, backups are vital for restoring them. You need to backup your data regularly to keep it well maintained. Also, try to maintain offline backups so that the attackers can’t access them. While creating the backups, ensure that they are encrypted, immutable, and cover the entire IT infrastructure.
- Assess external organization infrastructure and look for devices that are easily accessible.
Besides the internal infrastructure, you also need to conduct timely assessments of external organization postures, such as virtual environments like Exchange and vCenter servers. This will help identify any loopholes that cyberattackers can exploit.
- Rotate account passwords and look for leaked credentials.
If attacks are conducted through leaked credentials, they can go unnoticed for several days, months, or even years. Hence, keep looking out for any compromised credentials. Also, you need to mandate changing and rotating of users, admins, and service accounts. This will make it challenging for the BlackMatter actors to move into the network laterally.
- Implement Detection Signatures.
You can implement detection signatures of intrusion detection system rules and inline intrusion prevention systems rules to mitigate BlackMatter ransomware. These signature-based detections will ease identifying and blocking ransom note placement on the first encrypted share and later the additional SMB traffic coming via the encryptor system for an entire day.
- Deploying Network Segmentation and Traversal Monitoring
Most attackers usually use network discovery tactics for network visibility and mapping the attack. Hence, you need to segment the networks. This will prevent ransomware’s spreading across the entire IT environment. Additionally, implementing traversal monitoring tools for recording all the logs, such as SIEM, can prove useful for continuous monitoring and detection.
- Implement a threat monitoring and blocking system to contain early malware incidents.
Deploy threat monitoring tools like Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Firewall Maintenance, VAPT, etc., to constantly monitor and quickly detect anomalous incidents.
- Disable storing plain text passwords in LSASS.
Store only encrypted passwords in LSASS. Storing plain text passwords will make it easier for the BlackMatter actors to penetrate your systems.
- Limiting Access to Critical Resources through Network
Ensure the user’s accounts have the least privileges on the network. With this policy in place, lateral movement across the network will be a difficult scenario for criminals.
- Disable or limit New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
- Deploy Credential Guard if using Windows Server 2016 or Windows 10. On the other hand, while using Windows Server 2012R2, deploy Protected Process Light for Local Security Authority (LSA).
- Reduce the attack surface of AD to minimize abnormal ticket-granting activities. To prevent “Kerberoasting” attack on AD:
- Mandate using strong passwords for all the service accounts
- Monitor and audit all the Domain Controllers that have successfully used Kerberos Ticket-Granting Service requests to detect and prevent anomalous activity.
- Prepare and practice Incident Response procedures for ransomware attacks.
You need to build an incident response policy based on your IT posture and requirements and practice the same to prevent BlackMatter ransomware attacks.
- Block the communication from below mentioned domains:
Besides deploying all the above-mentioned mitigation best practices, you also need to block communications from these domains: