Published: December 29, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
There are warnings and questions surrounding a newly discovered ransomware group called BlackMatter. This advanced persistent threat (APT) group is already known for their high ransom demands and attacks on critical infrastructure in the U.S. Serious concerns about this group led to a joint advisory warning by three U.S. security organizations about the increased threat this ransomware group brings to the cybersecurity landscape. Speculation abounds whether BlackMatter is a reboot of the notorious ransomware group called DarkSide, famous for their epic attacks on the U.S. and its infrastructure.
DarkSide’s infamous ransomware group was previously responsible for high profile attacks against the U.S. and its critical infrastructure. Perhaps best known for last year’s historic attack against U.S. company Colonial Pipeline, DarkSide left a renowned history of destruction in their wake. The group claims since the Pipeline attack brought massive heat to their operations worldwide, they’ve dismantled their hacking tools, promising to never again return to cybercrime. But questions remain: Can you trust the word of a group of cybertheives? And did DarkSide simply rebrand itself as BlackMatter and return to business as usual? In the meantime, BlackMatter’s ransomware attacks continue.
The Official BlackMatter Warning
The joint advisory warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) states “BlackMatter is a possible rebrand of DarkSide, a Ransomware as a Service (RaaS) which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero…BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.”
A RaaS group, which is what BlackMatter is deemed, means their conspirators help deliver their malware for a cut of the victim’s ransom payment. Also known as an APT, these attackers gain access to a system for an undetermined length of time while they remain undiscovered by an organizations security systems. This allows BlackMatter unfettered access to all types of system information and data, adding helpful components to ensure the success of their inevitable ransomware attacks.
While the mystery of this group’s true identity remains, the joint advisory warning (BlackMatter Ransomware Alert AA21-291A) contains specific actions an organization should take to reduce their vulnerability to ransomware attacks. Some are listed here, but additional information can be found in the Alert.
Implement Detection Signatures
Require Strong Passwords for All Users
Implement Multi-Factor Authentication (MFA)
Keep Systems Patched and Updated
Limit Access to Network Resources
Implement Network Segmentation and Traversal Monitoring
Implement and Enforce Backup and Restoration Policies and Procedures
Use Admin Disabling Tools to Support Identity and Privileged Access Management
Remember, it’s the Wild West out there in cyberspace, and protection is possible with the right approach to ransomware in particular and to cybersecurity protocols overall.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org