BlackMatter Screenshot

Ransomware-as-a-service (RaaS) means that any individual or entity can use the services to carry out ransomware attacks, including former employees or an existing disgruntled employee or even competitors.

First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e. BlackMatter actors) who deploy it against victims. It is a ransomware-as-a-service available on the darkweb. It does have political overtones where Black-lives-matter is shortened.BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero. BalckMatter Ransomeware uses the best of (dirty) practices used by predecessor Rass - DarkSide, REvil, and LockBit RaaS

The services offered by the BlackMatter RaaS are:

• The victim organisation preferably should be from the United States, Great Britain, Canada or Australia.

• Organisation dealing in medicine and state institutions are to be avoided.

• Will not take on networks already attacked by any other ransomware.

• Victim should have 500 to 15000 host machines

• Expected revenue $100,000,000+

• Two different manners of usage of services, buy the service and deploy or BlackMatter will do the deployment.

• BlackMatter team will check the system after getting the access and confirm the deal.

• Before start of any work one need to deposit 2 to 4 BTC (bitcoins) about 120K to 250K USD

It has been observed that unlike many Ransomware, BlackMatter does not use Phishing attacks, instead it uses compromised passwords and edge devices vulnerabilities.

Many devices, firmware and software use embedded or hard coded passwords. Sometimes they also have default passwords which a user may not change. The BlackMatter also uses embedded admin or user credentials. BlackMatter then exploits credentials in the LDAP and SMB protocol to discover all hosts in the network. Though BalckMatter presently does not have the capabilities to encrypt the Linux-based machines, therefore instead it simply deletes the complete data and may still demand ransom. Online - Backup may be infected if credentials are compromised.

BlackMatter Negotiation Screen

Mitigation Approach

Following are some of the steps which can be taken to mitigate the BlackMatter threat

• Isolate infected devices and network segments

• Implement Detection Signatures

• Use Strong Passwords

• Implement Multi-Factor Authentication at least for admin and privileged accounts

• Patch and Update Systems

• Limit Access to Resources over the Network

• Implement Network Segmentation and Traversal Monitoring

• Use Admin Disabling Tools to Support Identity and Privileged Access Management

  • Implement time-based access for accounts set at the admin level and higher

  • Disable command-line and scripting activities and permissions.

• Implement and EnforceBackup and Restoration Policies and Procedures

  • Maintain offline backups of data,

  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.

• Disable the storage of clear text passwords in LSASS memory

• Implement Credential Guard for Windows 10 and Server 2016

• Minimize the AD attack surface to reduce malicious ticket-granting activity

• Disable or delete all ex-employees and vendors credentials

• Do not use Admin or privileged password while doing routine work.

• Log out from Admin or Privileged account as soon as task is completed.

Note: As per latest report, BlackMatter is stopping its Ransomware-as-a-service due to extreme pressure from Law Enforcement Agencies across the world.

Reference: https://us-cert.cisa.gov/ncas/alerts/aa21-291a

Important : If you want Counter-Ransomware-Services ( prior to attack as well as post attack), please contact us.