CISA: BlackMatter Ransomware Joint Cybersecurity Advisory

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) announced the release of an advisory on the BlackMatter ransomware threat. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA provides cyber actor tactics, techniques, and procedures and outlines mitigations to improve ransomware protection, detection, and response.


First seen in July 2021, cyber actors leveraged BlackMatter using embedded, previously compromised credentials that enabled them to access the network and remotely encrypt hosts and shared drives. When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data. BlackMatter is a ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims.


To secure systems against BlackMatter ransomware, CISA, FBI, and NSA recommend implementing the mitigation measures described in this advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and updating your operating system and software.


If a ransomware incident occurs at your organization, CISA, FBI, and NSA recommend the following actions:


Organizations should read the advisory, assess your unique cybersecurity environment, and implement recommended mitigations for any observed security gaps or weaknesses. Any support you and your organizations can do to amplify this joint advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.


The advisory can also be found on the new, whole-of-government ransomware website,




Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
Cell:  217-299-3954 |