Although highly publicized ransomware gangs REvil and Darkside recently dropped off the radar, other ransomware as a service (RaaS) groups have starting surfacing to take their place. The new group BlackMatter is the one garnering interest from people within the cybersecurity space, and for obvious reasons, explains Tenable threat researcher Satnam Narang. “It has a lot of parallels to REvil and DarkSide, and they even admit they're inspired by them," he says. "But it's hard to definitively discount the possibility they are effectively a rebrand from one of the other groups or combination,” he says.
Of course, one key difference exists: BlackMatter has explicitly called out which organizations or business types are off limits. “I think that's a byproduct of what happened earlier this year, with Colonial Pipeline and JBS Foods and the intense scrutiny placed on these predatory groups,” says Narang.
Read on as Narang share more insights into BlackMatter, growing ransomware trends and what steps manufacturers should consider within this ever-evolving threat landscape.
IW: What are you seeing in terms of their strategies?
Narang: When you look at most RaaS offerings, they do their job. They promote heavy on these dark net forums, and they are ultimately able to recruit affiliates to help do the dirty work. This is obviously the key driver. However, it is important to note affiliates aren't necessarily beholden to one ransomware group. It's not like a sports team where you root for the Lakers or the Yankees. Affiliates basically group work with any group if they're offering a premium reward, and their ransomware does a really good job. People are seeing BlackMatter and know whoever is behind it has a pretty good understanding of operating techniques, and they are filling that vacuum left behind by REvil and DarkSide.
IW: When researching ransomware groups and recent attacks, what trends are you seeing?
Narang: In addition to the double extortion trend, we've been seeing ransomware groups contacting customers of their target organizations to put more pressure on them to pay the ransom. Some ransomware groups were also experimenting with performing denial of service attacks on company websites, which basically is their place to provide updates for businesses that partner with them to let them know they are undergoing a ransomware attack and here's where you can find all updates. Taking away that avenue and adding the additional scrutiny of contacting customers intensifies the risk exposure.
IW: How would you classify the sophistication level of today's ransomware attack strategies?
Narang: It's more a matter of the cat and mouse game of who can encrypt the fastest. Some groups are talking about the ability to automate some of the distribution of the ransomware. And once they get into a network, they're leveraging some automated scripts to deploy the ransomware throughout the domain. There are incremental improvements happening within the ransomware space itself when it comes to infecting organization. A lot of it is a combination of what we already know. We know they target organizations through phishing attacks, vulnerable Remote Desktop Protocol, or weak passwords. Unfortunately, unpatched vulnerabilities are a continuous problem for organizations, and remain one way that ransomware groups or specifically ransomware affiliates are successful. Also, we've seen several instances of zero-day vulnerabilities as well. When it comes to getting into networks, it's pretty much the same techniques.
One other element that doesn't get talked about enough when it comes to reaching organizations is this group of individuals called initial access brokers. These are people who already have access to organizations, and they're going around selling access. If you're an affiliate, and you want to purchase access to that network, you can use that to deploy the ransomware. It'll cost you some money upfront, but you don't have to go through the process of trying to exploit a vulnerability or find a zero-day vulnerability because someone's already found the way in. The initial upfront cost may be somewhat significant, but if you're getting a hefty payout from the ransom, it'd be worth it. It wasn't talked about as much in the last couple of years, but we're starting to hear more about these brokers, which adds another element to the criminal enterprise of ransomware.
IW: Any recommendations for organizations as they look to better protect themselves?
Narang: It sounds like a broken record, but people need to hear the same things over and over. Most importantly, patch your systems. Obviously, you cannot protect against zero-day vulnerability per se, but you can potentially detect when attackers are in your environment. Having the best of breed management tools, having user awareness training for employees about security threats over email, having endpoint security, gateway security – all the things we preach about as industry.
Organizations also need to understand they can't protect their way out of everything. There may very well be a breach that happens, so being prepared would help with mitigation. Doing some proactive exercises within your organization on how to respond to a breach, so that you're prepared for when and if it occurs. Knowing that when is far more likely than if, organizations should invest in putting incident response plans in place to mitigate the effects of an attack, and to be able to understand what happened.
IW: Do you see important organizations having transparency when they do suffer an attack?
Narang: I absolutely do. It's a very difficult balancing act because on one hand admitting that you were compromised is hard, but at the same time, for the greater good of the industry, being able to talk through what happened and what you're doing about it helps others learn. Working with our government partners and the private sector is really going to be helpful to better understand how these attacks occur, and how we can better protect against these attacks in the future.
Continuing to sound the alarm is one step we all can take. There are some examples of organizations who have kept the public well informed of their investigation, the outcome of their investigation, and some of the learnings. If you sweep it under the rug, we can't really learn much from it. But if you shine a light on it, it will help us better understand.
IW: Any last thoughts?
Narang: The more we invest in protecting critical infrastructure, the better off we'll be because they're the ones that have the most significant impact. If you're a hospital and you get hit by ransomware attack it can potentially have a profound impact on the level of care.
BlackMatter's explicit mentions of not targeting certain industries goes to show what type of effect government pressure can have, and the potential retaliation aspect, whether its sanctions or other consequences may help drive attackers away from these industries. But my concern is more on how much scrutiny they're placing on the affiliates. The affiliates are the ones doing the attacks, and they are not beholden to a specific ransomware group. If one ransomware group says it’s not targeting these industries, the affiliate could just go shopping around to another ransomware group that is okay with it. It may mitigate some potential attacks, but it doesn't necessarily wipe them out completely.