The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Oct. 18 warning organizations that the BlackMatter ransomware group is targeting U.S. critical infrastructure entities.
The advisory, issued in conjunction with the FBI and National Security Agency (NSA), warns that the BlackMatter ransomware group has targeted at least two food and agriculture sector organizations since July 2021 and warns of tactics the group may use.
“Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the mitigations section of this joint advisory,” the agencies wrote. “These mitigations will help organizations reduce the risk of compromise from BlackMatter ransomware attacks.”
The agencies’ intel notes that the BlackMatter group first appeared this July and operates as a ransomware-as-a-service (RaaS) tool. The tool allows the developers of the ransomware to profit from any users who deploy it on unsuspecting or unprepared victims. CISA notes that BlackMatter could potentially be a rebrand of the Darkside RaaS group that was responsible for the Colonial Pipeline ransomware attack.
To mitigate any potential vulnerabilities to attack, CISA, FBI, and NSA recommend that organizations:
- Implement the intrusion detection signatures provided in the advisory;
- Use strong passwords;
- Implement multi-factor authentication;
- Patch and update systems;
- “Implement network segmentation and traversal monitoring;”
- Limit access to resources over the network;
- Support identity and privileged access management by using admin-disabling tools; and
- Implement and enforce backup restoration policies and procedures.
If organizations find themselves on the wrong end of a ransomware attack, the agencies recommend following CISA’s ransomware response checklist, scanning backups, immediately report the intrusion, and then applying incident response best practices.