If you would like to speak with HALOCK concerning this zero-day vulnerability, need assistance with analysis, or learn more about how to prepare for cyber threats through an Incident Response Readiness program, please reach out to your HALOCK account manager or chat with us online at HALOCK to schedule a call with one of our security experts.
New Ransomware Group: BlackMatter</font size=5> | ||
DESCRIPTION | ||
A new Russian based ransomware gang called “BlackMatter” has surfaced. The group utilizes a somewhat different approach to breaching networks to import their malware. BlackMatter is actively seeking what they refer to as “Initial Access Brokers” (IABs) that can provide them access into compromised networks. According to HHS Security, IABs are financially motivated individuals who trade RDP credentials, VPN login details or other access information for a fee. BlackMatter is promising up to $100,000 for a successful attack on organization’s network. While the group has pledged not to target critical infrastructure, that promise seems to be short lived as an Iowa agricultural cooperative was attacked by the group last month. BlackMatter demanded a $5.9 million ransom to decrypt the files and threated to double it if not paid within five days. Other recent attacks have involved Olympus, a Japanese manufacture of healthcare equipment, as well as an exfiltration attack on a U.S. legal services firm called Middleton Reutlinger. Since becoming active malicious actors, BlackMatter is credited with at least a dozen attacks. | ||
IDENTIFY INDICATORS OF COMPROMISE (IOC) | ||
| ||
CONTAINMENT (If IOCs are identified) | ||
Any machine believed to be compromised should be taken offline immediately and analyzed by an IT professional in an <b?isolated environment. If infected, isolation from the network will then prevent the malware from spreading the any further. Segmenting any type of malware such as ransomware offline is critical. Accounts with access to the impacted system(s) should have their passwords immediately reset. Multi-factor authentication (MFA) should be put in place for all externally accessible assets to thwart further access via single factor authentication. | ||
REMEDIATION (If IOCs are identified) | ||
If infection is confirmed, you need to next confirm the extent of the attack. Insulating the remaining network should be the priority. Those who have a cyber insurance policy should immediately contact their insurance company as these firms have experience dealing with ransomware attacks. IT personnel should work on restoring and resetting the infected machines. |