The US government’s various security-focused agencies have become increasingly vocal of late. That’s good news for organizations faced with a ransomware landscape populated by an estimated 68 discrete variants. The latest alert from the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) warns of a relatively new ransomware-as-a-service (RaaS) group known as BlackMatter.
What is BlackMatter?
The BlackMatter RaaS group first burst onto the scene in July, with rumors swirling that it may have links to the infamous DarkSide operation which retired a couple of months earlier. DarkSide was responsible for the Colonial Pipeline attack, which caused the major East Coast fuel pipeline to shut down for multiple days in May.
According to the alert, BlackMatter has already targeted “multiple” US critical infrastructure providers, despite claiming to avoid healthcare, government, oil and gas and other verticals. One of these providers, New Cooperative, was hit with a ransom of $5.9 million last month, although BlackMatter’s payment demands can reach $15 million, CISA claims.
For victim organizations, there’s a range of potential knock-on business risks, including:
- Remediation, investigation and clean-up costs
- Regulatory fines
- Reputational damage and customer attrition
- Legal costs, especially if personal data is leaked
- Productivity impact and operational outages
- Lost sales
How does BlackMatter operate?
The CISA alert has plenty for security teams to digest, based on sandbox analysis of a specific BlackMatter sample. It’s important to point out that, as a RaaS operation, multiple groups could use the same ransomware in slightly different ways to attack their targets.
That said, the tactics, techniques and procedures (TTPs) outlined by the alert can be summarized as:
Persistence on victim networks — using trial accounts with legitimate remote monitoring and desktop tools
Credential access — harvesting credentials from Local Security Authority Subsystem Service (LSASS) memory using Microsoft’s Process Monitor (procmon) tool
Discovery of all Active Directory hosts — using previously compromised credentials embedded in the (Lightweight Directory Access Protocol) LDAP and Server Message Block (SMB) protocol
Enumeration of all running processes — using NtQuerySystemInformation
Enumeration of all running services on the network — using EnumServicesStatusExW
Lateral movement — using the “srvsvc.NetShareEnumAll” Microsoft Remote Procedure Call (MSRPC) function to list all discovered shares, and then SMB to connect to them
Data exfiltration — to steal data for double extortion
Encryption — remote encryption of shares via SMB protocol. BlackMatter may also wipe backup systems
How can Illumio help?
The CISA alert lists multiple best practice steps that organizations can take to mitigate the impact of an attack. These range from strong password management and multi-factor authentication to patch management and implementing least privilege access to network resources.
However, one of the most important recommendations is to implement segmentation to restrict ransomware’s ability to move freely across the network:
“Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.”
Illumio stops ransomware in its tracks with a simple three-step approach:
- Gain risk-based visibility: Illumio automatically maps communications and dependencies across all workloads, data centers, and public clouds.
- Assess risk: Illumio highlights the corporate applications and systems most at risk.
- Contain ransomware: We use this insight to lock down any risky pathways and ports, such as SMB, that may be used to facilitate lateral movement.
Following these steps, Illumio can proactively restrict ransomware threat actors like BlackMatter before they can cause any serious damage while isolating critical assets. Policy generation is simplified via automated processes which suggest optimized segmentation policies for any type of workload (bare-metal, virtual machines, containers). We can even pre-build an emergency lockdown switch to activate in the event of a breach to block specific network communications.
No organization can confidently claim they are 100 percent breach-proof today. But with Illumio, you have the technology to stop threat actors before they can cause any irreparable harm.
To learn more:
- Visit Illumio's visibility and ransomware containment page.
- Read the paper, How to Prevent Ransomware From Becoming a Cyber Disaster.
- Check out the blog post, 9 Reasons to Use Illumio to Fight Ransomware.