The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint advisory detailing the activity of the ransomware group BlackMatter. BlackMatter is considered to likely be a reorganization of the DarkSide group, which was active from September 2020 to May 2021. The group’s activity began in July 2021 and includes ransom payment demands ranging from $80,000 to $20,000,000 targeting many USA based companies.
The CISA advisory includes analysis and IOCs of one BlackMatter variant (Virustotal link below). BlackMatter obtains user or admin credentials from a prior compromise and then enumerates running processes and services. It then utilizes LDAP and SMB to enumerate AD hosts as well as network shares using the TTPs listed in the table below. The SMB protocol is utilized to remotely encrypt all accessible shares from the original compromised host.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint advisory detailing the activity of the ransomware group BlackMatter. BlackMatter is considered to likely be a reorganization of the DarkSide group, which was active from September 2020 to May 2021. The group’s activity began in July 2021 and includes ransom payment demands ranging from $80,000 to $20,000,000 targeting many USA based companies.
The CISA advisory includes analysis and IOCs of one BlackMatter variant (Virustotal link below). BlackMatter obtains user or admin credentials from a prior compromise and then enumerates running processes and services. It then utilizes LDAP and SMB to enumerate AD hosts as well as network shares using the TTPs listed in the table below. The SMB protocol is utilized to remotely encrypt all accessible shares from the original compromised host.
Analyst Notes
The specific BlackMatter variant analyzed has SHA256:
706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
CISA suggests the following two Snort signatures:
Intrusion Detection System Rule
alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )
Inline Intrusion Prevention System Rule
alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; priority:1; sid:10000001; )
rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400
While implementing signature-based detections are helpful as CISA advises, ransomware groups currently have more than sufficient monetary and skilled labor resources to continue to develop and deploy highly advanced capabilities. The use of strong passwords, along with multi-factor authentication (MFA) that covers all possible access routes, is often sufficient to defeat brute force intrusion attempts. It is also recommended to implement conditional access policies and tight role-based access control policies (RBAC), time-based identity and privilege access management, and use a host-based firewall to restrict access to administrative shares via SMB. Improving and testing offline backup data backup, as well as data restoration and disaster recovery procedures is essential.
Due to the proliferation of advanced capabilities, perimeter security and access control cannot be solely relied upon. It’s essential for organizations with complex networks to have a comprehensive post-exploitation strategy, which includes specialized threat hunting operations as well as managed detection and response solutions (MDR), such as integrated Binary Defense offerings.
https://us-cert.cisa.gov/ncas/alerts/aa21-291a
https://www.virustotal.com/gui/file/706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d
