The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released a joint Cybersecurity Advisory, warns that the BlackMatter ransomware is “targeting multiple critical infrastructures in the United States, including two organizations in the U.S. food and agriculture sectors.
https://us-cert.cisa.gov/ncas/ alerts/aa21-291a
The attacks on U.S. grain cooperatives in Iowa and Minnesota, believed to be linked to BlackMatter, NEW Cooperative and Crystal Valley Cooperative, highlight digital security risks in the U.S. and global food supply chain. security risks in the U.S. and global food supply chains.
This new advisory provides an overview of threats, their tactics, detection signatures to help identify and block threat-related network activity, and best practices for mitigation.
BlackMatter is a ransomware-as-a-service (Raas) vendor that was introduced in July 2021, and allows ransomware developers to profit from a cybercriminal affiliate that deploys ransomware against victims. company (BlackMatter) that deploys ransomware against victims
Black Matter has commented that it may be a “rebranding” of Darkside, a major ransomware “Raas” that was active from Fall 2020 to May 2021.
In an interview published by Recorded Future in August, BlackMatter stated that it is trying to incorporate the most effective features of past ransomware, REnvil and DarkSide.
BlackMatter’s ransom demands have ranged from $80,000 to $15 million in Monero and Bitcoin.
The agencies are asking critical infrastructure organizations to implement detection signatures and follow security best practices such as strong passwords and multi-factor authentication. They also recommend implementing backups and taking measures to partition and monitor networks.
Government officials are also urging victims to report the attacks.
Unfortunately, too much ransomware goes unreported. Since cybercriminals have the most to gain by remaining silent, we are asking targeted companies to contact their local FBI field office and speak with CyberAgent
- Recommended countermeasures against ransomware
- Implementation of detection signatures
- Use strong passwords
- Implementation of multi-factor authentication
- System Patches and Updates
- Restrict access to resources on the network
- Perform network segmentation and traversal monitoring
- Implement time-based access for accounts above the administrator level.
- Disable command line and scripting activities and permissions
- Implementation and enforcement of backup and restore policies and procedures
Recommended countermeasures against ransomware
CISA, FBI, and NSA recommend applying the following mitigations to networks, especially critical infrastructure, to reduce the risk of damage from BlackMatter ransomware.
Implementation of detection signatures
Implement detection signatures. These signatures will first identify and block ransom notes being placed on encrypted shares, and then block additional SMB traffic from the encrypted system for 24 hours.
Use strong passwords
Make it mandatory to set strong and unique passwords for all accounts that log in with a password (service accounts, admin accounts, domain admin accounts, etc.).
Passwords should not be reused for more than one account, nor stored on a system that could be accessed by an adversary.
Note: For devices with local administrative accounts, you will need to implement a password policy that requires strong and unique passwords for individual administrative accounts.
Implementation of multi-factor authentication
Whenever possible, implement multi-factor authentication for all your services. We especially recommend implementing multi-factor authentication for webmail, virtual private networks, and accounts that access critical systems.
System Patches and Updates
Keeps all operating systems and software up to date.
Applying patches in a timely manner is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Restrict access to resources on the network
Remove unwanted access to administrative privilege shares (especially ADMIN$ and C$).
If ADMIN$ and C$ are deemed operationally necessary, privileges will be restricted to only the necessary service or user accounts, and abnormal activity will be continuously monitored.
Use a host-based firewall to only allow connections from a limited number of administrator machines to the management share via SMB.
Perform network segmentation and traversal monitoring
Adversaries use system and network investigation techniques to visualize and map networks and systems. To limit the adversary’s knowledge of your organization’s enterprise environment, limit common system and network discovery techniques to the following
- Segment the network to prevent the spread of ransomware.
- Segmenting your network can help prevent the spread of ransomware by controlling traffic flow between multiple subnetworks and access to subnetworks, and by limiting the lateral movement of adversaries.
- Use network monitoring tools to identify, detect, and investigate anomalous activity and possible ransomware intrusion.
Implement time-based access for accounts above the administrator level.
Just-in-time (JIT) access methods can provide privileged access when needed and support the implementation of the principle of least privilege (and the zero-trust model).
This is the process of configuring network-wide policies to automatically disable AD-level administrator accounts when they are not directly required.
When an account is needed, individual users can submit requests in an automated process to gain access to the system, but only within a set timeframe to help complete the task.
Disable command line and scripting activities and permissions
Privilege escalation and transgressions often rely on software utilities that are run from the command line. If the threat actor is unable to run these tools, privilege escalation and lateral movement becomes difficult.
Implementation and enforcement of backup and restore policies and procedures
Maintain offline backups of data and maintain regular backups and restores.
This ensures that organizations do not suffer serious failures, unrecoverable data, or ransom demands.
Make sure that all backup data is encrypted, immutable (cannot be modified or deleted), and covers the entire data infrastructure of the organization.
CISA, FBI, and NSA recommend that the following additional mitigations be applied to critical infrastructure to reduce the risk of credential compromise
- Disable clear text password storage in LSASS memory
- Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest authentication.
- Implement Credential Guard for Windows 10 and Server 2016
- For Windows Server 2012R2, Protected Process for Local Security Authority (LSA) Malicious activities, such as Kerberoasting, can use the Kerberos ticketing service to obtain hashed credentials for attackers to attempt to decrypt.
- Set a strong password policy for service accounts
- Audit domain controllers to log successful Kerberos Ticket-Granting Service requests and monitor events to identify unusual activity. Monitor events to identify unusual activity
Comments