Author: Christopher Kim
1. Executive Summary
On 18 October, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) published a joint advisory on BlackMatter ransomware.1 Since July, campaigns delivering this malware have targeted multiple U.S.-based organizations critical to the country’s infrastructure, including two in the U.S. Food and Agriculture Sector.
BlackMatter uses compromised credentials to access Microsoft Access Directory (AD) of organizations via the Lightweight Directory Active Protocol (LDAP) and the Server Message Block (SMB) protocol. Once logged in, the actors can discover all hosts on the network and then remotely encrypt their resources. This advisory describes (1) the various tactics, techniques, and procedures (TTPs) that the FBI, CISA, and NSA discovered by analyzing a BlackMatter sample in a sandbox environment and (2) information reported by trusted third-party security vendors.
BlackMatter is a ransomware-as-a-service (RaaS) tool that was first discovered in July 2021. According to the advisory, BlackMatter might be a rebrand of DarkSide: a RaaS that was active from September 2020 to May 2021. Developers of BlackMatter profit by renting it out to cyber actors. BlackMatter campaigns have demanded ransom payments from $80,000 to $15,000,000 in Bitcoin or Monero.
BlackMatter uses a number of built-in Windows functions to identify accessible resources and to move laterally across a victim’s network; for example, to terminate security programs, BlackMatter uses NtQuerySystemInformation and EnumServicesStatusExW to list the processes and services running on the machines. It then uses compromised network credentials to discover all hosts in AD via the LDAP and SMB. Next, it uses the Microsoft Remote Procedure Call (MSRPC) function srvsvc.NetShareEnumAll to enumerate and connect to accessible SMB shares. Finally, it remotely encrypts the compromised host’s resources and the contents of ADMIN$, C$, SYSVOL, NETLOGON, and other shares it discovered. Instead of encrypting backup data stores and appliances, it destroys or reformats them. BlackMatter also targets Linux-based machines, such as VMware ESXi and network-attached storage (NAS) devices, but it employs a separate encryption binary to encrypt them.2
The following table maps BlackMatter’s TTPs to the MITRE ATT&CK for Enterprise framework according to the analysis performed on the sample described in the advisory.
|Persistance [TA0003]||External Remote Services [T1133]||To maintain persistence on victims’ networks, BlackMatter leverages legitimate desktop software for remote monitoring and management, often by setting up trial accounts.|
|Credential Access [TA0006]||OS Credential Dumping: LSASS Memory [T1003.001]||BlackMatter uses procmon to harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory.|
|Discovery [TA0007]||Remote System Discovery [T1018]||BlackMatter leverages the LDAP and SMB to discover all hosts in AD.|
|Process Discovery [T1057]||BlackMatter uses NtQuerySystemInformation to enumerate processes running on the network.|
|System Service Discovery [T1007]||BlackMatter uses EnumServicesStatusExW to enumerate services running on the network.|
|Lateral Movement [TA0008]||Remote Services: SMB/Windows Admin Shares [T1021.002]||BlackMatter uses the MSRPC function srvsvc.NetShareEnumAll to enumerate all discovered shares, and it uses the SMB to connect to them.|
|Exfiltration [TA0010]||Exfiltration Over Web Service [T1567]||BlackMatter attempts to exfiltrate data for extortion.|
|Impact [TA0040]||Data Encrypted for Impact [T1486]||BlackMatter remotely encrypts shares via the SMB and drops a ransomware note into each directory.|
|Disk Wipe [T1561]||BlackMatter might wipe out backup systems.|
3. Prevention and Mitigation
Ransomware attacks can be costly to mitigate, and they can disrupt business-critical services. The FBI, CISA, and NSA recommend that organizations refer to (1) the CISA-Multi-State information and Sharing Center (MS-ISAC) Joint Ransomware Guide, for general strategies for mitigating against ransomware, and to (2) the CISA-FBI Cybersecurity Advisory AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks.3, 4 In addition, the agencies strongly recommend that organizations, especially those in sectors critical to the country’s infrastructure, apply the following mitigations to reduce the likelihood of being compromised by BlackMatter:
- Implement the Snort signatures described below. These signatures will identify and block placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours.
- Intrusion Detection System Rule:
alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; detection_filter: track by_src, count 4, seconds 1; priority:1; sid:11111111111; )
- Inline Intrusion Prevention System Rule:
alert tcp any any -> any 445 ( msg:”BlackMatter remote encryption attempt”; content:”|01 00 00 00 00 00 05 00 01 00|”; content:”|2e 00 52 00 45 00 41 00 44 00 4d 00 45 00 2e 00 74 00|”; distance:100; priority:1; sid:10000001; )
rate_filter gen_id 1, sig_id 10000001, track by_src, count 4, seconds 1, new_action reject, timeout 86400
- Intrusion Detection System Rule:
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts.) to have strong, unique passwords.5 Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.6
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
- Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
- Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines.
- Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
- Implement time-based access for accounts set at the admin-level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model).7 This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
- Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
- Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom demand.
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted) and covers the entire organization’s data infrastructure.8
- Disable the storage of clear text passwords in LSASS memory.
- Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
- Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).9
- Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
- Set a strong password policy for service accounts.
- Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.
4. Indicator of Compromise
The advisory described the results of an analysis performed on a single the BlackMatter sample with the SHA256 hash of 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.