What Happened

In August 2021, the ransomware group BlackMatter emerged as a notable threat actor targeting organizations across various sectors. The group claimed to be a successor to the infamous ransomware groups DarkSide and REvil, which had caused significant disruptions earlier that year. Operating predominantly from Eastern Europe, BlackMatter focused on extorting large ransoms from its victims, with demands often reaching millions of dollars. The group targeted organizations primarily in North America and Europe, using sophisticated techniques to infiltrate networks and deploy ransomware.

BlackMatter operated following a Ransomware-as-a-Service (RaaS) model, which involved recruiting affiliates to carry out attacks in exchange for a share of the proceeds. This approach allowed them to rapidly expand their operations and increase their victim count. Throughout its activity, BlackMatter consistently evaded detection by using custom-developed malware and testing its capabilities against popular security solutions.

Technical Details

BlackMatter leveraged several attack vectors, including compromised credentials, phishing emails, and exploiting vulnerabilities in public-facing applications. They frequently used well-known tools like Cobalt Strike for post-exploitation activities, ensuring they maintained a foothold in the victim's network. One of the vulnerabilities they exploited was CVE-2021-34473, a high-severity flaw in Microsoft Exchange Server with a CVSS score of 9.1, allowing remote execution.

Once inside the network, BlackMatter would exfiltrate sensitive data to increase leverage. Indicators of Compromise (IOCs) included specific IP addresses associated with their command and control (C2) infrastructure, commonly observed in Russia and Eastern Europe. They used double extortion techniques, demanding a ransom for both the decryption key and to prevent the public release of stolen data.

The ransomware itself exhibited extensive capabilities, such as terminating specific processes and services to increase its encryption reach across networked systems. BlackMatter frequently updated its malware to overcome security defenses, showcasing modular design aspects that allowed for adaptability and evasion.

Impact

Organizations across multiple sectors, including healthcare, financial services, and critical infrastructure, were affected by BlackMatter's campaigns. These incidents often resulted in significant operational disruptions and financial losses, further amplified by the public disclosure of stolen information in cases where the ransom was not paid.

The scale of their operations underscored the importance of robust cybersecurity measures and incident response plans. Companies lacking adequate detection and response capabilities found themselves particularly vulnerable to BlackMatter's tactics, techniques, and procedures (TTPs).

What To Do

  • Update Systems: Regularly apply patches, especially for known vulnerabilities like CVE-2021-34473.
  • Backup Data: Maintain offline, encrypted backups to mitigate data loss.
  • Enable Multi-Factor Authentication (MFA): Implement MFA on all external access points to prevent credential-based attacks.
  • Conduct Phishing Training: Regularly train employees to recognize and report phishing attempts.
  • Monitor Network Traffic: Use advanced threat detection tools to identify unusual activity or communication with known malicious IPs.
  • Implement Network Segmentation: Limit lateral movement within the network by segmenting critical systems.

Organizations should continuously assess their security posture and invest in ongoing threat intelligence to anticipate and mitigate evolving ransomware threats such as BlackMatter. Collaboration with industry peers and sharing of threat intelligence can also enhance overall security readiness and responsiveness.

Related: