BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities

BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities

BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, to include two U.S. Food and Agriculture Sector organizations.

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued a joint cybersecurity advisory about BlackMatter ransomware attacks. The advisory includes new information on BlackMatter cyber actor tactics, techniques, and procedures (TTPs), as well as mitigations to reduce the risk of BlackMatter ransomware compromise.

“First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero,” CISA, FBI, and NSA stated in the alert.

In September, 2021, an Iowa-based farm service provider NEW Cooperative was hit by a major BlackMatter ransomware attack. As part of that attack, the BlackMatter ransomware group had demanded a ransom of $5.9 million against the farm service provider.

In May 2021, a ransomware attack also hit JBS USA, the world’s largest global meat producer, with a variant of the Sodinokibi/REvil ransomware.

BlackMatter analysis

After analyzing malware samples, the cyber experts discovered that the BlackMatter variant compromised and then used embedded administrator or user credentials, as well as abuse running processes and services.

“BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the ‘srvsvc.NetShareEnumAll’ Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares,” the advisory stated.

“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.”

Moreover, the BlackMatter actors typically would encrypt Linux-based machines and ESXi virtual machines, but would wipe or reformat backup data stores and appliances.


The joint alert provided some solid mitigations for critical infrastructure organizations to reduce the risk of a BlackMatter ransomware compromise such as:

  • Implement detection signatures.
  • Use strong passwords.
  • Implement Multi-Factor Authentication (MFA).
  • Patch and update systems.
  • Limit access to network resources (such as administrative shares).
  • Implement network segmentation and traversal monitoring.
  • Implement time-based access for accounts set at the admin-level and higher.
  • Disable command-line and scripting activities and permissions.
  • Maintain offline backups.
  • Ensure all backup data is encrypted, immutable.
  • Disable the storage of clear text passwords in LSASS memory.
  • Disable or limit New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Minimize the AD attack surface.

Related Articles