BLACKMATTER RANSOMWARE

By Greg Johnson, CEO Webcheck Security

HOW VULNERABLE ARE YOU?

Critical infrastructure organizations (remember Colonial Pipeline?) have reason to be concerned

over recent attacks. I make it clear in this blog article however, that even if you are not critical

infrastructure, but running standard tools in your organization such as Active Directory, you too

could be vulnerable.

“BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations.”

Here is what BlackMatter does: “Using embedded, previously compromised credentials,

BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message

Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network.

BlackMatter then remotely encrypts the hosts and shared drives as they are found.” [1]

BlackMatter is most likely a rebrand of DarkSide which, along with others, have originated

from Russian groups. More information can be found in reference 1.

The real question is – What do I do about it? I suggest following the Cybersecurity &

Infrastructure Security Agency’s (CISA) advice listed below:

Are you running MDR (like SNORT) and have implemented the detection signatures listed in the CISA link above?
Do you have strong, unique passwords on all service accounts, admin accounts, and domain admin accounts? (Some of my passwords are 16-23 characters for example)
Have you implemented MFA?
Have you patched and updated all systems?
Have you limited access to network resources?
Do you implement network segmentation techniques and traversal monitoring?
Do you use admin disabling tools to support identity and privileged access management?
Do you implement and enforce backup and restoration policies and procedures?

at getintouch@webchecksecurity.com should you need advisement and

References: