BlackMatter Ransomware Targets US Food Industry

Critical Infrastructure Under Attack by BlackMatter Ransomware

A collaborative warning has been released by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). This advisory details the activities of the BlackMatter ransomware group, which has been actively targeting organizations considered critical infrastructure.

Targeted Sectors and Recent Attacks

The advisory indicates that “multiple” organizations have been affected, with at least two located within the U.S. food and agriculture sector. While specific victims haven't been publicly identified, recent incidents point to a pattern of attacks.

Iowa New Cooperative, a farm service provider based in Iowa, experienced a ransomware attack last month. Hackers demanded a $5.9 million ransom for system restoration. Subsequently, Crystal Valley, a Minnesota-based farm supply and grain marketing cooperative, suffered a similar breach.

BlackMatter Tactics and Potential Origins

The advisory offers a comprehensive overview of the BlackMatter threat. It highlights their destructive tactics, which include the deliberate deletion of backup data, instead of simply encrypting it.

Detection signatures and recommended mitigation strategies are also included. Furthermore, the advisory supports the growing suspicion that BlackMatter may be a rebranded version of the DarkSide ransomware operation. The FBI previously attributed the attack on Colonial Pipeline to DarkSide.

Ransomware-as-a-Service Model

BlackMatter operates on a ransomware-as-a-service (RaaS) model. This allows affiliates to utilize BlackMatter’s infrastructure in exchange for a percentage of any ransom payments received.

Ransom demands issued by BlackMatter have varied significantly, ranging from $80,000 to $15 million, typically requested in cryptocurrency.

Recommendations for Organizations

Organizations, particularly those operating within critical infrastructure, are strongly urged to enhance their cybersecurity posture. Implementing security best practices is paramount.

Utilize strong, unique passwords.
Enable multi-factor authentication.
Maintain up-to-date operating systems.
Deploy a host-based firewall.
Ensure all backup data is encrypted.

Reporting and Ransom Payment Guidance

The three agencies emphasize the importance of immediately reporting any ransomware attack. They strongly advise against paying ransom demands.

Paying a ransom can have several negative consequences. It may encourage further attacks, incentivize other criminal actors, and potentially fund illicit activities. Moreover, there is no guarantee of data recovery even after a ransom is paid.

Global Impact of BlackMatter

The impact of BlackMatter extends beyond the United States. Japanese technology company Olympus was also targeted, resulting in the shutdown of its network across Europe, the Middle East, and Africa.