The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) published a cybersecurity advisory regarding BlackMatter ransomware cyber intrusions targeting multiple U.S. critical infrastructure entities, including two U.S. food and agriculture sector organizations. The advisory includes technical details, analysis and assessment of this cyber threat and several mitigation actions that can be taken to reduce the risk to this ransomware.

First seen in July 2021, cyber actors leveraged BlackMatter with embedded, previously compromised credentials that enabled them to access the network and remotely encrypt hosts and shared drives. When the actors found backup data stores and appliances on the network, not stored offsite, they wiped or reformatted the data. BlackMatter is a ransomware-as-a-service (Raas) tool, which means the developers can profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it.

“This advisory highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “CISA, FBI and NSA are taking every step possible to try to make it harder for cybercriminals to operate. Americans can help us in this long-term endeavor by visiting Stopransomware.gov to learn how to reduce their risk of becoming a victim of ransomware.”  

“The FBI, along with CISA and NSA, is dedicated to preventing, disrupting, and combating the evolving ransomware threat,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division. “Unfortunately, too many ransomware incidents go unreported, and because silence benefits the cybercriminals the most, we ask targeted entities to contact their local FBI Field Office and speak to a cyber agent. By reporting a cyber incident, targeted entities are enhancing our ability to respond and investigate with the goal of disrupting cybercriminal operations. We will continue to leverage our unique authorities and capabilities to protect the American people from this threat; however, we cannot accomplish this alone. We remain committed to providing the public and our private sector partners with information that will bolster their ability to decrease vulnerabilities and increase awareness of potential exploits.”

“The threat of ransomware goes beyond specific impacts to a victim company – it has risen to a national security issue,” said Rob Joyce, Director of Cybersecurity at NSA. “NSA’s technical skills and threat intelligence will continue to support our partners across government and industry to degrade adversary footholds into networks where they launch ransomware. Employing the mitigations in the joint advisory with CISA and FBI will protect networks and mitigate the risk against BlackMatter and other ransomware attacks.”

CISA, FBI and NSA are unified in emphasizing the value and importance for organizations to apply best practices to protect their networks, systems and data, such as:

1. Implement and enforce backup procedures.
2. Use strong, unique passwords.
3. Use multi-factor authentication.
4. Implement network segmentation and traversal monitoring.

All organizations striving to protect their networks from a ransomware attack to ensure their systems are resilient should read the joint advisory for the full spectrum of recommended mitigations. Detection signatures are also included in the advisory that may be used for detecting network activity associated with BlackMatter activity.

This advisory includes analysis of a sample of BlackMatter ransomware and information from trusted third parties. The adversary actors’ behavior is mapped to the MITRE ATT&CK framework, a common lexicon of adversary behavior recommended by CISA.

The advisory can be found here and is available on the new, whole-of-government ransomware website, StopRansomware.gov.