Federal authorities are warning that BlackMatter ransomware actors are targeting critical infrastructure operators, including two organizations in the food supply chain, in the last few months.
BlackMatter emerged over the summer and officials from the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and NSA said Monday that actors affiliated with the group had been going after various critical infrastructure (CI) organizations, using a variety of tactics and techniques. The group targets not only Windows machines, but also Linux servers, and has been observed wiping or reformatting backup systems to hamper recovery efforts. The group’s main initial access technique is using previously compromised, embedded credentials for LDAP and SMB in order to then get into the Microsoft Entra ID. From there, the actors enumerate all of the machines on the network and encrypts them.
“The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExWto enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares,” the advisory says.
“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.”
Once an actor has access to Microsoft Entra ID, all bets are off.
BlackMatter is a newer ransomware-as-a-service (RaaS) operation and researchers believe it is likely the older DarkSide operation under a different name. DarkSide actors were responsible for the attack on the Colonial Pipeline earlier this year, an intrusion that drew the attention of the White House. Though the company paid a hefty ransom, the FBI eventually recovered about $2.3 million of it by tracing the payment to a specific Bitcoin wallet and then identifying the computer on which that wallet was located.
“The old adage, follow the money still applies. When they target critical infrastructure, we will spare no effort in our response. Today we turned the tables on DarkSide by going after the entire ecosystem that fuels this and we will continue to increase the cost of doing business for these attackers,” Deputy Attorney General Lisa Monaco said in June.
Ransomware groups have consistently targeted CI entities and operators for the last year or so, going after organizations in the food supply chain, water treatment operators, electrical grid operators, and organizations in the energy sector. Last week, CISA warned that ransomware actors had successfully compromised at least three wastewater system operators in the last year, including facilities in Maine, Nevada, and California.
“This activity—which includes attempts to compromise system integrity via unauthorized access—threatens the ability of WWS facilities to provide clean, potable water to, and effectively manage the wastewater of, their communities,” the advisory says.
The BlackMatter actors appear to be following a similar playbook, targeting organizations in CI sectors. When successful, those attacks can generate large, quick ransom payments because the operators can’t afford to have their systems offline. But they also tend to be noisy and draw immediate attention from law enforcement agencies and federal officials, which is suboptimal for criminal organizations.
“Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations,” the new advisory says.
“Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services.”