The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) announced the release of an advisory on the BlackMatter ransomware threat. Using an analyzed sample of BlackMatter ransomware and information from trusted third parties, this CSA provides cyber actor tactics, techniques, and procedures and outlines mitigations to improve ransomware protection, detection, and response.
First seen in July 2021, cyber actors leveraged BlackMatter using embedded, previously compromised credentials that enabled them to access the network and remotely encrypt hosts and shared drives. When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data. BlackMatter is a ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims.
To secure systems against BlackMatter ransomware, CISA, FBI, and NSA recommend implementing the mitigation measures described in this advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and updating your operating system and software.
If a ransomware incident occurs at your organization, CISA, FBI, and NSA recommend the following actions:
- Follow the Ransomware Response Checklist on p. 11 of the CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.
- Scan your backups. If possible, scan your backup data with an antivirus program to check that it is free of malware.
- Report incidents immediately to CISA at https://us-cert.cisa.gov/report, a local FBI Field Office, or U.S. Secret Service Field Office.
- Apply incident response best practices found in the joint advisory from Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity.
Organizations should read the advisory, assess your unique cybersecurity environment, and implement recommended mitigations for any observed security gaps or weaknesses. Any support you and your organizations can do to amplify this joint advisory through your communications and social media channels is appreciated. And as always, thank you for your continued collaboration.
The advisory can also be found on the new, whole-of-government ransomware website, StopRansomware.gov.
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
Cell: 217-299-3954 | firstname.lastname@example.org