BlackMatter Ransomware

Fortify Security Team
Oct 18, 2021

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, Fortify 24×7 urges all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.

First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Tactics, Techniques, and Procedures

This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA- 256: 706f3eec328e91ff7f66c8f0a2fb9b556325 c153a329a2062dc85879c540839d. (Note: click here to see the sample’s page on VirusTotal)

The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.

BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXI virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.

Table 1 maps BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting.

Tactic Technique Procedure
Persistence [TA0003]

 

 

 

 

 

 

 

External Remote Services [T1133] BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
Tactic Technique Procedure
Credential Access [TA0006] OS Credential Dumping: LSASS Memory [T1003.001] BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
Discovery [TA0007] Remote System Discovery [T1018] BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD.
Process Discovery [T1057] BlackMatter uses NtQuerySystemInformation to enumerate running processes.
System Service Discovery [T1007] BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.
Lateral Movement [TA0008] Remote Services: SMB/Windows Admin Shares [T1021.002] BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
Exfiltration [TA0010] Exfiltration Over Web Service [T1567] BlackMatter attempts to exfiltrate data for extortion.
Impact [TA0040] Data Encrypted for Impact [T1486] BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
Disk Wipe [T1561] BlackMatter may wipe backup systems.

 

DETECTION SIGNATURES

The following Snort signatures may be used for detecting network activity associated with BlackMatter activity.

Intrusion Detection System Rule:

alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )

Inline Intrusion Prevention System Rule:

alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; priority:1; sid:10000001; )
rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400

MITIGATIONS

Fortify 24×7 urges network defenders, especially for critical infrastructure organizations, to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:

Implement Detection Signatures

  • Implement the detection signatures identified above. These signatures will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24

Use Strong Passwords

  • Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.

Implement Multi-Factor Authentication

  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical

Patch and Update Systems

  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity

Limit Access to Resources over the Network

  • Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
  • Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator

Implement Network Segmentation and Traversal Monitoring

Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions.

  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to— various subnetworks and by restricting adversary lateral
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.

Use Admin Disabling Tools to Support Identity and Privileged Access Management

If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected. Given that there has been an observed increase in ransomware attacks during non- business hours, especially holidays and weekends, Fortify 24×7 recommend organizations:

  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving

Implement and Enforce Backup and Restoration Policies and Procedures

  • Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data

Fortify 24×7 urges critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise.

  • Disable the storage of clear text passwords in LSASS memory
  • Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
  • Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to
  • Set a strong password policy for service
  • Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous

RESPONDING TO RANSOMWARE ATTACKS

If a ransomware incident occurs at your organization, we recommend:

Note: CISA, the FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.

Recent Posts

Maui Ransomware – Technical Details

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare and Public Health (HPH) Sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for...

MedusaLocker Ransomware Technical Details

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every...

Karakurt Data Extortion Group

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide...

CVE-2022-30190 aka Follina

Move over log4j, there is a new 0-day vulnerability being exploited in the wild. The first sample that exploits the vulnerability appeared on VirusTotal on April 12th, 2022. Successful exploitation allows an attacker to run arbitrary code with the privileges of the...

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

Ragnarlocker Ransomware IOCs

RagnarLocker is identified by the extension “.RGNR_<ID>,” where <ID> is a hash of the computer’s NETBIOS name. The actors, identifying themselves as “RAGNAR_LOCKER,” leave a .txt ransom note, with instructions on how to pay the ransom and decrypt the data....

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...