The FBI and National Security Agency issued a joint advisory over the threat posed by the BlackMatter ransomware group.
The advisory, issued along with the Cybersecurity and Infrastructure Security Agency (CISA), warned that the newly emerged ransomware outfit could pose a massive danger to U.S.-based organizations, particularly those who operate in critical infrastructure industries.
"Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services," the joint advisory said. "Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations."
Those two food and agriculture entities were a pair of farming co-ops in Iowa and Minnesota that had to partially shut down their operations in September, triggering fears that further attacks could lead to food shortages in the U.S.
First landing on the radar of security providers in July of this year, BlackMatter operates a ransomware as a service (RaaS) model where independent cybercriminals infiltrate networks and install the ransomware on servers and PCs. The RaaS providers then handle the notification and ransom negotiation, kicking over a portion of any eventual ransom payment to the affiliate hacker.
As with most of the current generation of ransomware operations, BlackMatter further extorts its victims to meet the ransomware demand by threatening to publish all of the stolen data should they not pay.
Threat analysts found that BlackMatter has ties to both the REvil and DarkSide ransomware crews, something that would make sense given the recent trend of ransomware groups intermingling and spreading both funding and members amongst one another.
The FBI, NSA and CISA maintain that organizations should hold out against the ransomware demands and refuse to pay.
"Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities," the three agencies warned. "Paying the ransom also does not guarantee that a victim's files will be recovered."
Rather, the government agencies suggest companies adopt best practices to protect against malware in general, such as maintaining and isolating system backups, strictly limiting access privileges and timing out administrator account logins, and staying up to date with security patches and system updates.
According to the joint advisory, BlackMatter threat actors typically use previously compromised credentials to gain access to victims' environments; the attackers weaponize Lightweight Directory Access Protocol and Server Message Block protocols to access the network's Active Directory in order to discover all hosts on the network, which are then encrypted with ransomware. And it's not just Windows systems that are threatened by BlackMatter.
"BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines," the agencies said. "Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances."
The advisory also contains indicators of compromise and recommendations of specific services that should be disabled to protect against BlackMatter attacks.