CISA, the FBI and NSA formally implicated the BlackMatter ransomware group within the current assaults on two agriculture firms, confirming the assessments of some safety researchers who mentioned the gang was behind incidents involving New Cooperative and Crystal Valley in September.
New Cooperative — an Iowa-based farm service supplier — was hit with a ransomware attack on September 20 and BlackMatter demanded a $5.9 million ransom. Crystal Valley, based mostly in Minnesota, was attacked two days later. Each assaults got here as harvests started to ramp up for farmers.
Within the advisory, CISA, the FBI and NSA mentioned BlackMatter has focused a number of US crucial infrastructure entities since July. The advisory supplies an in depth examination of BlackMatter’s techniques and descriptions how the group sometimes assaults organizations.
“Utilizing embedded, beforehand compromised credentials, BlackMatter leverages the Light-weight Listing Entry Protocol (LDAP) and Server Message Block (SMB) protocol to entry the Lively Listing (AD) to find all hosts on the community,” CISA mentioned within the advisory.
“BlackMatter then remotely encrypts the hosts and shared drives as they’re discovered. Ransomware assaults towards crucial infrastructure entities might immediately have an effect on client entry to crucial infrastructure companies; subsequently, CISA, the FBI, and NSA urge all organizations, together with crucial infrastructure organizations, to implement the suggestions listed within the Mitigations part of this joint advisory.”
The regulation enforcement organizations famous that BlackMatter operates as ransomware-as-a-service and should probably be a rebrand of DarkSide, a ransomware group that allegedly closed shop in Might after attacking Colonial Pipeline.
They added that BlackMatter has demanded ransom funds starting from $80,000 to $15,000,000 in Bitcoin and Monero.
“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the unique compromised host, all found shares’ contents, together with ADMIN$, C$, SYSVOL, and NETLOGON. BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi digital machines. Reasonably than encrypting backup techniques, BlackMatter actors wipe or reformat backup information shops and home equipment,” the advisory defined.
“BlackMatter leverages respectable distant monitoring and administration software program and distant desktop software program, typically by establishing trial accounts, to take care of persistence on sufferer networks. BlackMatter makes an attempt to exfiltrate information for extortion. BlackMatter remotely encrypts shares by way of SMB protocol and drops a ransomware be aware in every listing. BlackMatter might wipe backup techniques.”
The discover lists dozens of measures organizations ought to take to guard themselves from BlackMatter, together with the implementation of detection signatures, robust passwords, MFA, routine patching, community segmentation and entry limitations.
As a result of enhance in ransomware assaults on weekends and holidays, CISA prompt organizations implement time-based entry for accounts set on the admin-level and better.
In September, the FBI released its own notice warning firms within the meals and agriculture sector to be careful for ransomware assaults aiming to disrupt provide chains. The FBI be aware mentioned ransomware teams are looking for to “disrupt operations, trigger monetary loss, and negatively affect the meals provide chain.”
“Ransomware might affect companies throughout the sector, from small farms to massive producers, processors and producers, and markets and eating places. Cybercriminal risk actors exploit community vulnerabilities to exfiltrate information and encrypt techniques in a sector that’s more and more reliant on sensible applied sciences, industrial management techniques, and internet-based automation techniques,” the FBI mentioned.
“Meals and agriculture companies victimized by ransomware endure vital monetary loss ensuing from ransom funds, lack of productiveness, and remediation prices. Firms may additionally expertise the lack of proprietary data and personally identifiable data and should endure reputational injury ensuing from a ransomware assault.”
The discover listed a number of assaults on the meals and agriculture sector since November, together with a Sodinokibi/REvil ransomware assault on a US bakery firm, the assault on global meat processor JBS in Might, a March 2021 assault on a US beverage firm and a January assault on a US farm that prompted losses of roughly $9 million.
In November 2020, the FBI additionally cited an assault on a US-based worldwide meals and agriculture enterprise that was hit with a $40 million ransom demand from the OnePercent Group. The corporate was capable of recuperate from backups and didn’t pay the ransom.