CISA, the FBI and NSA officially implicated the BlackMatter ransomware group in the recent attacks on two agriculture companies, confirming the assessments of some security researchers who said the gang was behind incidents involving New Cooperative and Crystal Valley in September.
New Cooperative — an Iowa-based farm service provider — was hit with a ransomware attack on September 20, and BlackMatter demanded a $5.9 million ransom. Crystal Valley, based in Minnesota, was attacked two days later . Both attacks came as harvests began to ramp up for farmers.
In the advisory, CISA, the FBI and NSA said BlackMatter has targeted multiple US critical infrastructure entities since July. The advisory provides a detailed examination of BlackMatter’s tactics and outlines how the group typically attacks organizations.
“Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network,” CISA said in the advisory.
“BlackMatter then remotely encrypts the hosts and shared drives as they are found. Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory.”
The law enforcement organizations noted that BlackMatter operates as ransomware-as-a-service and may possibly be a rebrand of DarkSide . This ransomware group allegedly closed shop in May after attacking Colonial Pipeline .
They added that BlackMatter had demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON. BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances,” the advisory explained.
“BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks. BlackMatter attempts to exfiltrate data for extortion. BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory. BlackMatter may wipe backup systems.”
The notice lists dozens of measures organizations should take to protect themselves from BlackMatter, including implementing detection signatures, strong passwords, MFA, routine patching, network segmentation and access limitations.
Due to the increase in ransomware attacks on weekends and holidays , CISA suggested organizations implement time-based access for accounts set at the admin-level and higher.
In September, the FBI released its own notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains. The FBI note said ransomware groups are seeking to “disrupt operations, cause financial loss, and negatively impact the food supply chain.”
“Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cybercriminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems,” the FBI said.
“Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack.”
The notice listed multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million.
In November 2020, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. The company was able to recover from backups and did not pay the ransom.
- Volunteer firefighter, 18, ran division of neo-Nazi group that ordered Hitler-style synagogue vandalism attacks as FBI says he also wanted to attack black shoppers at a New Jersey mall and planned his 'badass' suicide by cop
- “We need to up our game”—DHS cybersecurity director on Iran and ransomware
- "WannaCry" ransomware attack losses could reach $4 billion
- Ransomware Attackers Demand $2 Million From NYC College
- DHS cyber director warns of surge in Iranian “wiper” hack attacks
- Massive ransomware attack spreads across the globe
- Unleashing a ransomware attack is as easy as a click of a button
- Atlanta ransomware attack still causing chaos
- FBI says hackers are targeting US auto industry
- Democrats Cut Farmworkers’ Wages to Get Agriculture Amnesty
- Anti-Muslim Hate Speech Is Absolutely Relentless On Social Media Even As Platforms Crack Down On Other Extremist Groups
- Xenophobic attacks: Allen Onyema tells his story
- Technology Expert: Zuckerberg Has Limited Influence on the Overall Company Today
- Animal attractions get new scrutiny from travel companies
- Trump condemns drone attacks in call with Saudi crown prince
- Saudi Arabia oil attack – Oil price rise ‘bigger than 9/11’ to see petrol soaring 5p a litre in UK after ‘Iran-backed’ strike on world’s largest plant
- A&E under siege as staff attacked with knives and meat cleavers for £8.64 an hour
- Saudi king blames Iran for 'chaos', says strikes failed to hurt kingdom's development
- 'We have what's known as FREEDOM OF SPEECH!' Outraged Trump says he is 'closely monitoring' social media sites for bias against conservatives - after Facebook banned several far-right figures from their platform
- World Cup: Data says Brazil and Germany in the cards for Russia 2018
CISA says BlackMatter ransomware group behind recent attacks on agriculture companies have 916 words, post on www.zdnet.com at October 19, 2021. This is cached page on TechNews. If you want remove this page, please contact us.