BlackMatter then remotely encrypts the hosts and shared drives as they are found. Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Food and Agriculture Sector organizations. critical infrastructure entities, including two U.S. Since July 2021, BlackMatter ransomware has targeted multiple U.S.
This joint Cybersecurity Advisory was developed by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) to provide information on BlackMatter ransomware. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques. Note: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, version 9. Implement network segmentation and traversal monitoring.Implement and enforce backup and restoration policies and procedures.Actions You Can Take Now to Protect Against BlackMatter Ransomware