Joint Cybersecurity Advisory on BlackMatter Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the National Security Agency (NSA) released a joint cybersecurity advisory underscoring the persisting threat from the BlackMatter Ransomware group. The advisory includes tactics, techniques, and procedures (TTPs) associated with BlackMatter activity which could help organizations defend against this threat group. BlackMatter was first detected in July 2021 and has since targeted multiple critical infrastructure entities. According to the advisory, “using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network.” The advisory includes further technical details regarding the group’s activity, including detection signatures, and lists recommended mitigations. Members are also encouraged to visit StopRansomware.gov for protecting against ransomware threats. To report suspicious or criminal activity related to information found in this advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. Read the advisory at CISA.