How to Stay Safe from BlackMatter Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) all provide data that can assist companies in defending against and detecting this adversary’s network activities.

The BlackMatter ransomware-as-a-service campaign started with the explicit objective of penetrating corporate networks belonging to organizations with a turnover of at least $100 million in the United States, Canada, Australia, and the United Kingdom.

BlackMatter is responsible for encrypting systems at a number of companies in the United States and demanding ransoms of up to $15 million in Bitcoin.

The combined cybersecurity advice from CISA, the FBI, and the NSA details the strategies, techniques, and processes used by the BlackMatter ransomware group, which might help businesses defend themselves.

The threat actor utilized compromised administrator credentials to find all the hosts in the victim’s Active Directory, according to one variation of the malware examined in an isolated environment.

This advisory provides information on cyber actor TTPs obtained from the following sample of BlackMatter ransomware, which was analyzed in a sandbox environment, as well as from trusted third parties: SHA-256: 706f3eec328e91ff7f66c8f0a2fb9b556325c153a329a2062dc85879c540839d.

The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes

Read More: