{"id":7165,"date":"2021-10-20T14:24:26","date_gmt":"2021-10-20T21:24:26","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7165"},"modified":"2024-08-07T12:18:29","modified_gmt":"2024-08-07T19:18:29","slug":"blackmatter-ransomware","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/blackmatter-ransomware\/","title":{"rendered":"BlackMatter Ransomware"},"content":{"rendered":"

Author: Christopher Kim<\/strong><\/h3>\n

 <\/p>\n

1. Executive Summary<\/h3>\n

On 18 October, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) published a joint advisory on BlackMatter ransomware.1<\/sup> Since July, campaigns delivering this malware have targeted multiple U.S.-based organizations critical to the country\u2019s infrastructure, including two in the U.S. Food and Agriculture Sector.<\/p>\n

BlackMatter uses compromised credentials to access Microsoft Access Directory (AD) of organizations via the Lightweight Directory Active Protocol (LDAP) and the Server Message Block (SMB) protocol. Once logged in, the actors can discover all hosts on the network and then remotely encrypt their resources. This advisory describes (1) the various tactics, techniques, and procedures (TTPs) that the FBI, CISA, and NSA discovered by analyzing a BlackMatter sample in a sandbox environment and (2) information reported by trusted third-party security vendors.<\/p>\n

2. Analysis<\/h3>\n

BlackMatter is a ransomware-as-a-service (RaaS) tool that was first discovered in July 2021. According to the advisory, BlackMatter might be a rebrand of DarkSide: a RaaS that was active from September 2020 to May 2021. Developers of BlackMatter profit by renting it out to cyber actors. BlackMatter campaigns have demanded ransom payments from $80,000 to $15,000,000 in Bitcoin or Monero.<\/p>\n

2.1 TTPs<\/h3>\n

BlackMatter uses a number of built-in Windows functions to identify accessible resources and to move laterally across a victim\u2019s network; for example, to terminate security programs, BlackMatter uses NtQuerySystemInformation and EnumServicesStatusExW to list the processes and services running on the machines. It then uses compromised network credentials to discover all hosts in AD via the LDAP and SMB. Next, it uses the Microsoft Remote Procedure Call (MSRPC) function srvsvc.NetShareEnumAll to enumerate and connect to accessible SMB shares. Finally, it remotely encrypts the compromised host\u2019s resources and the contents of ADMIN$, C$, SYSVOL, NETLOGON, and other shares it discovered. Instead of encrypting backup data stores and appliances, it destroys or reformats them. BlackMatter also targets Linux-based machines, such as VMware ESXi and network-attached storage (NAS) devices, but it employs a separate encryption binary to encrypt them.2<\/sup><\/p>\n

The following table maps BlackMatter\u2019s TTPs to the MITRE ATT&CK for Enterprise framework according to the analysis performed on the sample described in the advisory.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Tactic<\/strong><\/td>\nTechnique<\/strong><\/td>\nProcedure<\/strong><\/td>\n<\/tr>\n
Persistance [TA0003<\/a>]<\/td>\nExternal Remote Services [T1133<\/a>]<\/u><\/td>\nTo maintain persistence on victims\u2019 networks, BlackMatter leverages legitimate desktop software for remote monitoring and management, often by setting up trial accounts.<\/td>\n<\/tr>\n
Credential Access [TA0006<\/a>]<\/u><\/td>\nOS Credential Dumping: LSASS Memory [T1003.001<\/a>]<\/u><\/td>\nBlackMatter uses procmon to harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory.<\/td>\n<\/tr>\n
Discovery [TA0007<\/a>]<\/u><\/td>\nRemote System Discovery [T1018<\/a>]<\/u><\/td>\nBlackMatter leverages the LDAP and SMB to discover all hosts in AD.<\/td>\n<\/tr>\n
Process Discovery [T1057<\/a>]<\/u><\/td>\nBlackMatter uses NtQuerySystemInformation to enumerate processes running on the network.<\/td>\n<\/tr>\n
System Service Discovery [T1007<\/a>]<\/u><\/td>\nBlackMatter uses EnumServicesStatusExW to enumerate services running on the network.<\/td>\n<\/tr>\n
Lateral Movement [TA0008<\/a>]<\/u><\/td>\nRemote Services: SMB\/Windows Admin Shares [T1021.002<\/a>]<\/u><\/td>\nBlackMatter uses the MSRPC function srvsvc.NetShareEnumAll to enumerate all discovered shares, and it uses the SMB to connect to them.<\/td>\n<\/tr>\n
Exfiltration [TA0010<\/a>]<\/u><\/td>\nExfiltration Over Web Service [T1567<\/a>]<\/u><\/td>\nBlackMatter attempts to exfiltrate data for extortion.<\/td>\n<\/tr>\n
Impact [TA0040<\/a>]<\/u><\/td>\nData Encrypted for Impact [T1486<\/a>]<\/u><\/td>\nBlackMatter remotely encrypts shares via the SMB and drops a ransomware note into each directory.<\/td>\n<\/tr>\n
Disk Wipe [T1561<\/a>]<\/u><\/td>\nBlackMatter might wipe out backup systems.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

3. Prevention and Mitigation<\/h3>\n

Ransomware attacks can be costly to mitigate, and they can disrupt business-critical services. The FBI, CISA, and NSA recommend that organizations refer to (1) the CISA-Multi-State information and Sharing Center (MS-ISAC) Joint Ransomware Guide, for general strategies for mitigating against ransomware, and to (2) the CISA-FBI Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.3, 4<\/sup> In addition, the agencies strongly recommend that organizations, especially those in sectors critical to the country\u2019s infrastructure, apply the following mitigations to reduce the likelihood of being compromised by BlackMatter:<\/p>\n