CISA, NSA, FBI have recently released a joint advisory report with TTPs for BlackMatter ransomware that primarily leverages the SMB (Server Message Block), LDAP (Lightweight Directory Access Protocol), and AD (Active Directory) to identify all the available hosts on the network.
While the BlackMatter ransomware was targeting several critical infrastructure entities in the U.S. since July 2021, and this includes two major Food and Agriculture Sector organizations.
CISA, the FBI, and NSA urge all organizations to immediately apply all the recommended mitigations, since, the attacks of this ransomware directly affect consumer access to critical infrastructure services.
TTPs of BlackMatter Ransomware
The user credentials that were previously compromised, NtQuerySystemInformation, and EnumServicesStatusExW were exploited by the BlackMatter ransomware to list all the running processes and services.
To discover all the hosts in the Active Directory BlackMatter exploits the embedded credentials in the LDAP and SMB protocol. And to identify each host for accessible shares it uses the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function.
From the original compromised host, BlackMatter remotely encrypts the shares’ contents like ADMIN$, C$, SYSVOL, and NETLOGON by leveraging the embedded credentials and SMB protocol.
Here are the recommended mitigations offered by CISA, the FBI, and NSA mentioned below:-
- Implement Detection Signatures
- Use Strong Passwords
- Implement Multi-Factor Authentication
- Patch and Update Systems
- Limit Access to Resources over the Network
- Implement Network Segmentation and Traversal Monitoring
- Use Admin Disabling Tools to Support Identity and Privileged Access Management
- Implement and Enforce Backup and Restoration Policies and Procedures
Moreover, the Director of Cybersecurity at NSA, Rob Joyce stated:-
“The threat of ransomware goes beyond specific impacts to a victim company — it has risen to a national security issue. NSA’s technical skills and threat intelligence will continue to support our partners across government and industry to degrade adversary footholds into networks where they launch the ransomware.”
“Employing the mitigations in the joint advisory with CISA and FBI will protect networks and mitigate the risk against BlackMatter and other ransomware attacks.”