Cybersecurity Snapshots #22 - BlackMatter: The DarkSide Ransomware Group Rebranded?
Cybersecurity Snapshots #22 -
BlackMatter: The DarkSide Ransomware Group Rebranded?
On Friday, May 7, 2021, an affiliate of the DarkSide Ransomware-as-a-Service (RaaS) attacked Colonial Pipeline, a major U.S. fuel pipeline. A week later, DarkSide announced it was shutting down its operations after its servers were allegedly seized and its cryptocurrency wallets drained. DarkSide was followed into apparent retirement by another ransomware service, REvil, the threat actor behind the attack on Kaseya which affected approximately 50 of its companies worldwide. In late July, a new RaaS appeared on the scene called BlackMatter. The operators behind BlackMatter claim that their ransomware incorporates the best features of DarkSide, REvil, and LockBit 2.0 ransomware. The operators also say that while they are closely acquainted with the Darkside operators, they are not the same people, but is that true?
Researchers at Sophos took a deeper look at BlackMatter ransomware and found that when victims are hit with the BlackMatter ransomware, the files on the drives are encrypted, and BlackMatter sets a very similar wallpaper to DarkSide's. Also, like DarkSide, the wallpaper is stored in the same folder on disk (C:\ProgramData), with an identical file size (2,818,366 bytes), image format (.BMP), and image size (1706 x 826 pixels, 16-bit color depth). BlackMatter, like DarkSide and LockBit 2.0 employs a partial encryption scheme, which means the ransomware does not encrypt the entire file but only a portion. This has the same effect but significantly shortens the attack duration since only a fraction of a file is read and overwritten. Researchers at Sophos stated that attacking merely 1 MB of each file means hundreds of files can become encrypted in a second. In addition to partial encryption, BlackMatter makes use of multithreading. Multithreading has been available in CPUs since 2001 and increases the utilization of a processor core by using the complementary processes of thread-level parallelism and instruction-level parallelism. This effectively leads to higher throughput and lower latency since data in a faster medium (such as memory) can be retrieved by one thread while another thread retrieves data from a slower medium (such as storage), with neither thread waiting for the other to finish. During encryption, the BlackMatter ransomware's file system activity and use of multithreading looks the same as DarkSide's. Like DarkSide and REvil, BlackMatter uses a runtime API that can hinder static analysis of the malware. And like the other two ransomware groups, strings are also encrypted and revealed during runtime. Like REvil, LockBit 2.0, and DarkSide, BlackMatter also attempts to elevate its privileges when limited by User Account Control (UAC). The BlackMatter ransomware collects information from victim machines, like hostname, logged in user, operating system, domain name, system type (architecture), language, and the size of the disk and available free space.
Even though BlackMatter is a new group, they have already caused significant damage to organizations through their ransomware. So far, BlackMatter has published stolen data from 10 organizations on its leak site. The group primarily targets large and well-resourced organizations in the U.S., U.K., Canada, Australia, India, Brazil, Chile, and Thailand. Olympus was recently affected by BlackMatter ransomware which affected the organization's computer network in Europe, Middle East, and Africa. The attack began on the morning of September 8th. An Iowan agricultural group was also recently hit by BlackMatter ransomware during the weekend of September 18th and 19th. The Iowan Agriculture group stated that the attack's impact on the U.S. public could be worse than the Colonial Pipeline incident. According to reports, BlackMatter targeted New Cooperative, a major U.S. grain producer, with a $5.9m ransom demand. In emails sent to the ransomware gang during negotiations, New Cooperative wrote that about 40% of grain production runs on their software, and 11 million animals' feed schedules rely on them. New Cooperative also stated that the ransomware attack will cause a public disruption to the grain, pork, and chicken supply chain. The ransomware gang has not budged on their $5.9m ransom demand. The Biden administration has made it clear that 16 critical infrastructure sectors of the U.S. economy are off-limits to cybercrime groups thought to be operating from Russia. BlackMatter claimed that New Cooperative doesn't reach the threshold that the President laid out. After a relatively quiet summer, this attack would appear to be testing those red lines. Security researchers stated that if this is the attitude Russia-based threat actors have towards the President's warnings, this could indicate similar attacks to come.
Several factors suggest a connection between BlackMatter and DarkSide. However, after researchers at Sophos conducted malware analysis, the researchers determined that while there are similarities with DarkSide ransomware, the code is not identical, which means the BlackMatter group is not the DarkSide group rebranded. The researchers stated that in the hands of an experienced adversary, BlackMatter ransomware can cause a lot of damage without triggering any alarms. Security researchers noted that organizations should be on the lookout for this new malware in the future and warned organizations to never pay the demanded ransom. Security researchers also stated that it is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with disastrous consequences.