[BreachExchange] HHS Warns Health Sector of BlackMatter Attacks

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Tue Sep 14 09:02:51 EDT 2021 

https://www.govinfosecurity.com/hhs-warns-health-sector-blackmatter-attacks-a-17522

Federal regulators are alerting healthcare and public health sector
entities of the "elevated threat" for potential ransomware attacks by
BlackMatter, despite the gang's purported claims that it is not targeting
"critical infrastructure" organizations, such as hospitals.

In a threat brief issued Sept. 2, the Department of Health and Human
Services' Health Sector Cybersecurity Coordinating Council, or HC3, notes
that BlackMatter malware first surfaced in July, and is suspected to be the
successor of DarkSide and REvil RaaS operations (see: BlackMatter
Ransomware Appears to be Spawn of DarkSide).

According to the alert, a BlackMatter representative claims that the group
does not attack a variety of industries, including hospitals, and if these
entities are attacked, then the company can ask for "free decryption."

“We will not allow our project to be used to encrypt critical
infrastructure that will attract unwanted attention to us,” BlackMatter
claims, according to HC3's alert.

Cybercriminal Claims

Threat analyst Brett Callow of the security firm Emsisoft says the gang’s
claims "should be taken with a pinch of salt" for a couple of reasons.

"First because they’re conscienceless criminals and cannot be trusted.
Second because they will not have complete control over the affiliates," he
says.

"We’re actually aware of BlackMatter attacks on healthcare providers. It’s
happening," he says.

Furthermore, "even if the criminals provide healthcare organizations with a
no-cost decryptor, the attacks would still represent a significant risk to
lives," he says.

For instance, in the May ransomware attack on Ireland's public health
system – the Health Service Executive - the Conti gang reportedly provided
a free decryptor, but the recovery process still took many weeks. (see:
Ransomware Gang Provides Irish Health System With Decryptor).

"As the HSE case demonstrated, recovery can be an extremely long process
even when the organization has the decryptor. The disruption can last for
weeks or even months," he says.

Callow also says that despite the early suspected ties to REvil,
BlackMatter appears to be "a rebrand of DarkSide" - the gang responsible
for the attack on Colonial Pipeline. "I have no connection between them and
REvil, besides possibly shared affiliates," he notes.

BlackMatter Traits

The HC3 alert notes that BlackMatter's targeted systems are Windows and
Linux servers and that the "ransomware [is] written in C that encrypts
files using a combination of Salsa20 and 1024-bit RSA," HC3 says.

Additionally, HC3 says BlackMatter ransomware:

   - Attempts to mount and encrypt unmounted partitions;
   - Targets files stored locally and on network shares, as well as
   removable media;
   - Can terminate processes prior to encryption;
   - Deletes volume shadow copies and ignores specific directories, files
   or file extensions during encryption;
   - Can be configured to upload system information to a remote server via
   HTTP or HTTPS;
   - Collects system information such as system name, username, domain,
   language information and list of enumerated drives.

'Highly Sophisticated'

HC3 says the BlackMatter group is likely Eastern Europe and is
Russian-speaking. Targeted countries include the U.S., India, Brazil,
Chile, Thailand and others.

Targeted industries so far are legal, real estate, IT services, food and
beverage, architecture, education and finance. The group is also actively
seeking initial access brokers and affiliates for ransomware deployment,
the advisory says.

BlackMatter is a "highly sophisticated, financially motivated cybercriminal
operation," HC3 notes.

BlackMatter is believed to be behind a Sept. 8 cyberattack on Olympus, a
Japanese company that manufactures optics and reprography products (see:
Olympus: 'Potential Cyber Incident' Disrupted EMEA System).

BlackMatter is just one of approximately 20 known and active ransomware
gangs working globally, says retired supervisory FBI agent Jason G. Weiss,
an attorney at the law firm Faegre Drinker Biddle & Reath LLP.

"All these ransomware gangs are … a true and present danger to the
healthcare sector in particular," he says.

"The healthcare sector deals with life and death matters on a daily basis …
They are not risking just the encryption of their business documents, but
in many instances these ransomware attacks are also attacking their
'operational technology' networks that control the actual infrastructure of
these healthcare entities and put real lives at risk."

Steps to Take

HC3 provides a number of suggested defense and mitigation steps for
healthcare sector entities to take. Those include:

   - Implementing whitelisting technology to ensure that only authorized
   software is allowed to execute;
   - Providing access control based on the principle of least privilege;
   - Maintaining an anti-malware solution;
   - Conducting system hardening to ensure proper configurations;
   - Disabling the use of SMBv1 - and all other vulnerable services and
   protocols - and requiring at least SMBv2.

In addition, entities should restrict, minimize or eliminate RDP usage, HC3
says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210914/d64bc389/attachment.html>

More information about the BreachExchange mailing list