Share this article on:
The health and public health sector is facing an elevated risk of ransomware attacks by affiliates of the BlackMatter ransomware-as-a-service (RaaS) operation, according to the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services.
The BlackMatter threat group emerged in July 2021 shortly after the DarkSide ransomware gang shut down its operation and the Sodinokibli/REvil took its infrastructure offline. The Russian speaking threat group is believed to originate in Eastern Europe and has conducted many attacks over the past couple of months in Brazil, Chile, India, Thailand, and the United States. The group also started leaking data stolen in attacks on its data leak site on August 11, 2021.
The threat group has mostly conducted ransomware attacks on companies in the real estate, food and beverage, architecture, IT, financial services, and education sectors, and while the ransomware gang has publicly stated it would not attack hospitals, critical infrastructure companies, nonprofits, government, and defense contractors, there is concern that attacks may still occur.
The threat group said in its sales pitch for affiliates that its ransomware incorporates the best features of the DarkSide, Lockbit 2.0 and Sodinokibi/REvil ransomware variants, and a technical analysis of the ransomware found several similarities between both DarkSide and Sodinokibi/REvil ransomware variants suggesting the gang has links with those operations.
BlackMatter said its affiliates are not permitted to attack hospitals, and should any hospital or nonprofit company be attacked, they can make contact and request free decryption. The threat group also said “We will not allow our project to be used to encrypt critical infrastructure that will attract unwanted attention to us.” There is of course no guarantee that an attack would not still occur nor that a free decryptor would be provided. As HC3 warmed, “these details are what BlackMatter claims to be, and may not be accurate,” and the DarkSide and Sodinokibi/REvil ransomware variants have both been used in attacks on the health and public health sector.
The threat group is actively seeking initial access brokers (IABs) that can provide access to corporate networks, as well as affiliates to conduct attacks. IABs often sell compromised RDP credentials, VPN login credentials, and web shells, which provide ransomware gangs with the access they need to conduct attacks.
According to HC3, there have been “at least 65 instances of threat actors selling network access to healthcare entities on hacking forums in the past year.” An analysis of 1,000 forum posts selling network access in the past 12 months found the United States was the worst affected country, and 4% of breached entities were in the healthcare industry.
BlackMatter is used in attacks on Windows and Linux systems, encrypts files using Salsa20 and 1024-bit RSA, and attempts to mount and encrypt unmounted partitions. The ransomware encrypts files stored locally, on removable media, and on network shares, and deletes shadow copies to prevent recovery without paying the ransom. Files are also exfiltrated prior to encryption and stolen data have been published on the gang’s leak site to encourage payment of the ransom.
Even if free decryptors are provided, the cost of remediating attack is likely to be significant. It is therefore important for the health and public health sector to take steps to improve defenses to make BlackMatter and other ransomware attacks more difficult.
In the threat brief, HC3 provides cybersecurity best practices that should be adopted to mitigate the BlackMatter threat, which include maintaining offline encrypted backups, regularly testing backups to ensure file recovery is possible, creating, maintaining, and exercising a basic cyber incident response plan and communications plan.
The sector has also been advised to mitigate Internet-facing vulnerabilities and misconfigurations, patch promptly, and conduct regular security awareness training for the workforce and to implement defenses such as spam filters to combat email phishing and social engineering attacks.