This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, Fortify 24×7 urges all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory. These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.
First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
Tactics, Techniques, and Procedures
This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA- 256: 706f3eec328e91ff7f66c8f0a2fb9b556325 c153a329a2062dc85879c540839d. (Note: click here to see the sample’s page on VirusTotal)
The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares. Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.
BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXI virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances.
Table 1 maps BlackMatter’s capabilities to the MITRE ATT&CK for Enterprise framework, based on the analyzed variant and trusted third-party reporting.
|External Remote Services [T1133]
|BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
|Credential Access [TA0006]
|OS Credential Dumping: LSASS Memory [T1003.001]
|BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
|Remote System Discovery [T1018]
|BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD.
|Process Discovery [T1057]
|BlackMatter uses NtQuerySystemInformation to enumerate running processes.
|System Service Discovery [T1007]
|BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.
|Lateral Movement [TA0008]
|Remote Services: SMB/Windows Admin Shares [T1021.002]
|BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
|Exfiltration Over Web Service [T1567]
|BlackMatter attempts to exfiltrate data for extortion.
|Data Encrypted for Impact [T1486]
|BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
|Disk Wipe [T1561]
|BlackMatter may wipe backup systems.
The following Snort signatures may be used for detecting network activity associated with BlackMatter activity.
Intrusion Detection System Rule:
alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )
Inline Intrusion Prevention System Rule:
alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; priority:1; sid:10000001; )
rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400
Fortify 24×7 urges network defenders, especially for critical infrastructure organizations, to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
Implement Detection Signatures
- Implement the detection signatures identified above. These signatures will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24
Use Strong Passwords
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
Implement Multi-Factor Authentication
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical
Patch and Update Systems
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity
Limit Access to Resources over the Network
- Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
- Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator
Implement Network Segmentation and Traversal Monitoring
Adversaries use system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions.
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to— various subnetworks and by restricting adversary lateral
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Use Admin Disabling Tools to Support Identity and Privileged Access Management
If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected. Given that there has been an observed increase in ransomware attacks during non- business hours, especially holidays and weekends, Fortify 24×7 recommend organizations:
- Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving
Implement and Enforce Backup and Restoration Policies and Procedures
- Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data
Fortify 24×7 urges critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise.
- Disable the storage of clear text passwords in LSASS memory
- Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
- Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
- Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to
- Set a strong password policy for service
- Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous
RESPONDING TO RANSOMWARE ATTACKS
If a ransomware incident occurs at your organization, we recommend:
- Following the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scanning backups. If possible, scan backup data with an antivirus program to check that it is free of
- Reporting incidents immediately to the FBI at a local FBI Field Office, CISA at us- cisa.gov/report, or the U.S. Secret Service at a U.S. Secret Service Field Office.
- Applying incident response best practices found in the joint Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United
Note: CISA, the FBI, and NSA strongly discourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.