US Authorities Issue BlackMatter Ransomware Alert
The US authorities have released more details on emerging ransomware group BlackMatter, which it says has already targeted multiple critical infrastructure providers in the country.
The alert comes from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA).
The ransomware-as-a-service (RaaS) operation appeared in July. It has been suggested that it may have links to the DarkSide group that came under pressure from Washington after the Colonial Pipeline attack. That group subsequently disappeared.
BlackMatter is said to eschew healthcare, NGO, government, oil and gas and other critical infrastructure sectors. However, last month it targeted a US grain producer, which claimed to play a key role in the US food supply chain. New Cooperative was hit with a $5.9m ransom at that time.
Demanding payments of up to $15m from its victims, BlackMatter has been observed using remote monitoring and desktop software to achieve persistence. It may also use previously compromised credentials embedded in LDAP and SMB to access Active Directory and discover all hosts on the network, the alert noted.
Data exfiltration is attempted over the web, and SMB is used to encrypt shares remotely. There’s also a warning