October 20, 2021
Best Practices / Technology

Guest Blog – Webcheck Security: BlackMatter Ransomware

Written by Greg Johnson
BlackMatter Ransomware Attacks

As Cybersecurity month continues, we have invited Greg Johnson, CEO of Webcheck Security, as a guest blogger to provide some insight into a type of Cybersecurity risk that is already plaguing some major businesses in the U.S. In this article, Jason provides insight into what BlackMatter ransomware is and questions your business should be asking to safeguard against an attack.

What is BlackMatter Ransomware?

According to an article from TechCrunch, “BlackMatter provides ransomware-as-a-service (RaaS) that allows other groups to rent its infrastructure, taking a cut of the ransom if the victim pays.” Cybercriminals acting as part of BlackMatter have deployed thousands of attacks that originated back in July of this year and have already demanded ransoms as high as $15 million in bitcoin.

How Vulnerable Are You?

Critical infrastructure organizations (remember Colonial Pipeline?) have reason to be concerned over recent attacks. I make it clear in this blog article however, that even if you are not critical infrastructure but running standard tools in your organization such as Active Directory, you too could be vulnerable.

“BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.”

Here is what BlackMatter does: “Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.”    

BlackMatter is most likely a rebrand of DarkSide, all of which along with others have originated from Russian groups. More information about both BlackMatter as well as its origins can be found on the Cybersecurity & Infrastructure Security Agency (CISA)’s website here

The real question now – ‘what do I do about it?’ I suggest following the CISA’s advice, which I’ll break down below in the form of questions that you should ask about your current network:

1. Are you running MDR (like SNORT) and if so, have you implemented the detection signatures listed in the CISA link above? 

2. Do you have strong, unique passwords on all service, admin and domain admin accounts? (For example, some of my passwords include 16-23 characters)

3. Have you implemented Multi-Factor Authentication (MFA)? 

 4. Have you patched and updated all systems?

5. Have you limited access to network resources?

6. Do you implement network segmentation techniques and traversal monitoring?

7. Do you use admin disabling tools to support identity and privileged access management? 

8. Do you implement and enforce backup and restoration policies and procedures?

Interlaced is proud to have a partnership with Webcheck Security and we appreciate their insight for businesses to help prevent against cyberattacks like these. To learn more about how Interlaced and Webcheck Security can help your business with security, scalable architecture, and user management, visit www.interlaced.io/contact, or email us at sales@interlaced.io today!

Technology vector created by freepik – www.freepik.com

Greg Johnson

Greg Johnson

Greg is the CEO of Webcheck Security, a world-class penetration testing and cyber services company, which specializes in incident response, maturity assessment, Fractional Information Security Officer (FISO) services and managed threat hunting. Greg enjoys serving his clients with a genuine interest in their needs and success, through providing quality cyber services recommendations.