Feds Urge Action Against BlackMatter Ransomware Based on Third-Party Tip

Stock Depot/istockphoto

A joint advisory officially associates the notorious ransomware-as-a-service group with the Colonial Pipeline attack.

Federal agencies credited a trusted third-party in issuing specific detection signatures to combat activity from BlackMatter, which they said has attacked multiple critical infrastructure organizations, most notably in the agricultural sector.

“This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting,” reads an advisory released Monday by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI.

The advisory urged typical mitigations for defending against ransomware, along with specific signatures to detect activity associated with BlackMatter, which it acknowledged is likely the reincarnation of the group previously called DarkSide

“First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows  the ransomware's developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims,” according to the advisory. “BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.”

After taking responsibility for the Colonial Pipeline attack in May, DarkSide said it would shut down operations, but observers had already expected the group would simply emerge under a different name. 

In June, President Joe Biden met with Russian President Vladimir Putin and warned of consequences for harboring ransomware criminals associated with groups like DarkSide and REvil, for which officials have attributed an attack on meat producer JBS. Officials said Biden shared a list of critical infrastructure that is off-limits.

In September, BlackMatter demanded a $5.9 million ransom in an attack on an Iowa grain co-op. The website for the group, which researchers also associate with REvil, reportedly claims the group does not attack critical infrastructure. The advisory released Monday begs to differ.

“Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. Food and Agriculture Sector organizations,” the agencies wrote.