The BlackMatter and Conti Ransomware Threat

Two ransomware gangs are attacking and organizations need to defend themselves.

In an Urgent Panel discussion on September 28, 2021 held by Critical Insight, panelists provided advice to organizations and to U.S. leaders on how to respond:

• Ransomware gangs should be labeled as terrorists (which is starting to happen).
• Never ever trust a criminal. Their promises aren't worth much and their "decryption keys" are sometimes worthless.
• Organizations need to add MFA to everything they can, build a strong IR plan, monitor 24x7 for intrusions, have a strong Endpoint solution, use experts to build a backup system, patch patch patch, and have incident responders on retainer. Regardless of whether you use Critical Insight for those services, every organization needs them right now.
• Cybersecurity Insurance rates are going up and you'll need the services listed above to keep rates down (and even to keep insurance). Insurance is also a good way to explain cybersecurity needs to CEOs, CFOs, Boards, and Elected Leaders.
• "Be an innovator" - If insurance rates become a barrier, self-insure for a year and spend the money on improved security controls before getting insurance again.

Watch the 60-minute panel discussion for more takeaways. As one person said, "I've been in the business for 15-years, and I learned a lot from these guys."

Here's more detail on the cyber terrorists:

The BlackMatter Ransomware Group

The BlackMatter ransomware group appeared in late July 2021. In their interactions with other threat actors and cybersecurity investigators, the group claims to be a new entity. Most cybersecurity professionals reject this and say that their actions and the tools they use show that they are basically the DarkSide cybercrime group operating under a new name.

The FBI identified the DarkSide criminals as the perpetrators behind the Colonial Pipeline attack in May 2021. The regulatory and political pressure that this attack generated lead to the group disappearing online. The BlackMatter ransomware group seems to be their re-emergence; Hardly a surprise, given how lucrative ransomware attacks are. The BlackMatter methodology is straight-up modern extortion.

• First, they gain a foothold on a network and then look to use discovery and lateral spread to infect as many devices as possible.
• Then they use stealth techniques to steal copies of sensitive data.
• Finally, they encrypt systems and issue ransom demands with the promise of a decryption key.
• In many cases, they also threaten to publicly release the sensitive information they copied unless an additional ransom gets paid. They most likely also sell this data on the dark web.

Standard ransomware tactics, but successful for them and devastating to any organization they breach. See our What is Ransomware, and How Do I Prevent It? post for steps to protect your organization, and join us on the live panel for the latest information.

Increased Conti Ransomware Cyberattacks

In addition to the renewed BlackMatter activities causing alarm in cybersecurity circles, CISA issued an alert warning healthcare and other critical infrastructure providers about another attack group. The alert outlines the threat and mitigation techniques that organizations can use to combat the Conti ransomware threat. Technical details are delivered using the MITRE ATT&CK framework for reference.

In a non-technical joint release from CISA, the FBI, and NSA to accompany the alert, they outline that CISA and the FBI have observed over 400 attacks using Conti ransomware. The attacks were against U.S. and international organizations. The attackers aimed to steal files, encrypt servers and workstations, and demand a ransom payment to return stolen sensitive data.

The Conti ransomware group uses a ransomware-as-a-service (RaaS) model. They employ attack vectors such as spear-phishing campaigns, remote monitoring and management software vulnerabilities, the "PrintNightmare" vulnerability, and remote desktop software security gaps to gain access. Then they follow the typical ransomware script to steal data and extort ransom payments.

The joint release concludes by strongly recommending that impacted organizations should not pay any ransom demands. Doing so only perpetuates the cycle of attacks.