New Ransomware Group: BlackMatter

A new Russian based ransomware gang called “BlackMatter” has surfaced. The group utilizes a somewhat different approach to breaching networks to import their malware. BlackMatter is actively seeking what they refer to as “Initial Access Brokers” (IABs) that can provide them access into compromised networks. According to HHS Security, IABs are financially motivated individuals who trade RDP credentials, VPN login details or other access information for a fee. BlackMatter is promising up to $100,000 for a successful attack on organization’s network. While the group has pledged not to target critical infrastructure, that promise seems to be short lived as an Iowa agricultural cooperative was attacked by the group last month. BlackMatter demanded a $5.9 million ransom to decrypt the files and threated to double it if not paid within five days. Other recent attacks have involved Olympus, a Japanese manufacture of healthcare equipment, as well as an exfiltration attack on a U.S. legal services firm called Middleton Reutlinger. Since becoming active malicious actors, BlackMatter is credited with at least a dozen attacks.

1. Because BlackMatter uses valid accounts to gain access to the network, logons recorded during non-typical working hours should be routinely monitored
2. Stopped services relating to endpoint protection software
3. Modifications to data files and folders so that they allow full access for any account
4. Any new appearances of UNC paths to data volumes and drives
5. Compromises to computer registries to modify the local Windows administrator account
6. A successful attack will be followed by a wallpaper image that alerts the victim of the attack and instructs them what to do to retrieve their data

Any machine believed to be compromised should be taken offline immediately and analyzed by an IT professional in an isolated environment. If infected, isolation from the network will then prevent the malware from spreading the any further. Segmenting any type of malware such as ransomware offline is critical.

Accounts with access to the impacted system(s) should have their passwords immediately reset.

Multi-factor authentication (MFA) should be put in place for all externally accessible assets to thwart further access via single factor authentication.

If infection is confirmed, you need to next confirm the extent of the attack. Insulating the remaining network should be the priority. Those who have a cyber insurance policy should immediately contact their insurance company as these firms have experience dealing with ransomware attacks. IT personnel should work on restoring and resetting the infected machines.