Ransomware continues to evolve in its reach, effectiveness, and sophistication. This week CISA, the FBI, and the NSA issued a joint alert on a strain of ransomware called BlackMatter. Here’s what makes it different, and so dangerous.
First, BlackMatter is a RaaS distributed model – Ransomware As A Service. This approach allows anyone with the desire to launch an attack the means to do so, and it allows the developers to sit back and participate in the profits. BlackMatter isn’t the first RaaS, but it may be the most treacherous. BlackMatter starts like most Ransomware – it uses compromised user credentials. Whether those credentials were obtained on the dark web, through a phishing attack, or other means, this is the gateway for almost all ransomware attacks, and it highlights the need to use complex passwords that expire, and two-factor authentication wherever possible.
Once BlackMatter gets into a network, it uses tools built into Microsoft to identify other machines on the network, including virtual machines. It also looks for backup files and destroys them. BlackMatter is targeting everything from our national infrastructure to medical facilities. By the way, Linux users aren’t safe either, BlackMatter has tools to attack that OS as well, including Linux-based virtual machines.
Why are we calling your attention to this particular ransomware, other than the attention it’s getting from our cyber agencies? Because this attack uses network file shares to traverse networks and access other machines. Network file shares have always been a security vulnerability and this ransomware exploits that. We encourage you to re-think your network configuration if you are relying upon shared folders to provide other users with access to files.
The following steps are recommendations for mitigating your risks to BlackMatter (and other ransomware attacks). We encourage you to share this information with your IT team.
CISA, the FBI, and NSA urge network defenders, especially critical infrastructure organizations, to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
Implement Detection Signatures
Implement the detection signatures identified above. These signatures will identify and block the placement of the ransom note on the first share that is encrypted, subsequently blocking additional SMB traffic from the encryptor system for 24 hours.
Use Strong Passwords
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts.) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access. Note: devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
Implement Multi-Factor Authentication
Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Patch and Update Systems
Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Limit Access to Resources over the Network
Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If ADMIN$ and C$ are deemed operationally necessary, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity.
Use a host-based firewall to only allow connections to administrative shares via SMB from a limited set of administrator machines.
Implement Network Segmentation and Traversal Monitoring
Adversaries use the system and network discovery techniques for network and system visibility and mapping. To limit an adversary from learning the organization’s enterprise environment, limit common system and network discovery techniques by taking the following actions.
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
Use Admin Disabling Tools to Support Identity and Privileged Access Management
If BlackMatter uses compromised credentials during non-business hours, the compromise may not be detected. Given that there has been an observed increase in ransomware attacks during non-business hours, especially holidays and weekends, CISA, the FBI, and NSA recommend organizations:
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the AD level when the account is not in direct need. When the account is needed, individual users submit their requests through an automated process that enables access to a system, but only for a set timeframe to support task completion.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Implement and Enforce Backup and Restoration Policies and Procedures
Maintain offline backups of data, and regularly maintain backup and restoration. This practice will ensure the organization will not be severely interrupted, have irretrievable data, or be held up by a ransom demand.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
CISA, the FBI, and NSA urge critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise.
Disable the storage of clear text passwords in LSASS memory.
Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
Implement Credential Guard for Windows 10 and Server 2016 (Refer to Microsoft: Manage Windows Defender Credential Guard for more information). For Windows Server 2012R2, enable Protected Process Light for Local Security Authority (LSA).
Minimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such as “Kerberoasting” takes advantage of Kerberos’ Ticket Granting service and can be used to obtain hashed credentials that attackers attempt to crack.
Set a strong password policy for service accounts.
Audit Domain Controllers to log successful Kerberos Ticket-Granting Service requests and ensure the events are monitored for anomalous activity.
Refer to the CISA-Multi-State information and Sharing Center (MS-ISAC) Joint Ransomware Guide for general mitigations to prepare for and reduce the risk of compromise by ransomware attacks.
Be alert online at all times.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay