Under Attack? Breach Response Hotline: Call

Day 24: BlackMatter Ransomware

Common Attack Vectors

  • Sever Message Block (SMB) protocol
  • Lightweight Directory Active Protocol (LDAP)
  • Phishing Email
  • Virtual Private Network (VPN)

Vulnerabilities Exploited

  • Public-facing web servers
  • VMware ESXi servers
  • Boot or Logon Autostart Execution: Registry Run Keys/ Startup Folder
  • (Virtual Private Network) VPN appliances or servers

Industries Targeted Frequently

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Legal

Threat actors target legal companies and law firms stealing their clients' confidential information.

Finance

Threat actors target financial institutions to steal peoples' names, financial records, social security numbers, and bank accounts.

Recent Activity

BlackMatter ransomware breached Olympus, a Japanese technology giant, that affected the company’s IT systems in the EMEA region.

New Cooperative, a farm service provider in Iowa, was breached by the BlackMatter ransomware affecting the devices and systems.

Common File Extensions

Random character string of numbers and letters

Known Alias

  • No Known Alias

How BlackMatter Ransomware is Distributed

BlackMatter ransomware gains access through compromised vulnerable edge devices and using obtained corporate credentials. The ransomware members exploit the infrastructure vulnerabilities’ including remote desktop, virtualization and VPN appliances or servers. Some initial access operators affiliated with BlackMatter will bring their own Tactics, Techniques and Procedures (TTPs) and exploit some vulnerabilities. BlackMatter uses the obtained credentials to exploit companies that don’t enforce multi-factor authentication on internet-facing services. The group and their affiliates are opportunistic exploiting vulnerable organizations based on their susceptibility to an intrusion method instead of investing their time and effort toward a specific target. BlackMatter gained extensive and intimate knowledge of the victim’s infrastructure using victim-specific ransomware configurations including tailored process and service names, terminating them before the encryption process begins. They also use an embedded list of high-privilege credentials’ including domain administrator or service accounts providing the ability to access and encrypt valuable data throughout the network. The threat actors also use a separate encryption binary for Linux-based machines and encrypt ESXi virtual machines and they wipe or reformat backup data stores and appliances.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

Day 24: BlackMatter Ransomware

Common Attack Vectors

  • Sever Message Block (SMB) protocol
  • Lightweight Directory Active Protocol (LDAP)
  • Phishing Email

Vulnerabilities Exploited

  • Public-facing web servers
  • VMware ESXi servers
  • Boot or Logon Autostart Execution: Registry Run Keys/ Startup Folder
  • (Virtual Private Network) VPN appliances or servers

Industries Targeted Frequently

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Healthcare

Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.

Critical Infrastructure

Threat actors target critical infrastructure, impacting businesses that provide services to consumers and other organizations.

Legal

Threat actors target legal companies and law firms stealing their clients' confidential information.

Finance

Threat actors target financial institutions to steal peoples' names, financial records, social security numbers, and bank accounts.

Recent Activity

BlackMatter ransomware breached Olympus, a Japanese technology giant, that affected the company’s IT systems in the EMEA region.

New Cooperative, a farm service provider in Iowa, was breached by the BlackMatter ransomware affecting the devices and systems.

Common File Extensions

Random character string of numbers and letters

Known Alias

  • No Known Alias

How BlackMatter Ransomware is Distributed

BlackMatter ransomware gains access through compromised vulnerable edge devices and using obtained corporate credentials. The ransomware members exploit the infrastructure vulnerabilities’ including remote desktop, virtualization and VPN appliances or servers. Some initial access operators affiliated with BlackMatter will bring their own Tactics, Techniques and Procedures (TTPs) and exploit some vulnerabilities. BlackMatter uses the obtained credentials to exploit companies that don’t enforce multi-factor authentication on internet-facing services. The group and their affiliates are opportunistic exploiting vulnerable organizations based on their susceptibility to an intrusion method instead of investing their time and effort toward a specific target. BlackMatter gained extensive and intimate knowledge of the victim’s infrastructure using victim-specific ransomware configurations including tailored process and service names, terminating them before the encryption process begins. They also use an embedded list of high-privilege credentials’ including domain administrator or service accounts providing the ability to access and encrypt valuable data throughout the network. The threat actors also use a separate encryption binary for Linux-based machines and encrypt ESXi virtual machines and they wipe or reformat backup data stores and appliances.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

Translate »

Total Economic Impact™ Of SpearTip ShadowSpear