Zffoto - stock.adobe.com
BlackMatter Ransomware Group No Longer Active, HC3 Says
BlackMatter ransomware group, which orchestrated cyberattacks against healthcare organizations, appears to have shut down operations.
The Health Sector Cybersecurity Coordination Center (HC3) reduced the threat level of BlackMatter ransomware from “elevated” to “guarded.” A recent HC3 report found that BlackMatter, which was known to target the healthcare sector despite promising otherwise, had not claimed any cyberattacks since October 31, 2021.
BlackMatter was a Russian-speaking Ransomware-as-a-Service (RaaS) group based in Eastern Europe whose suspected predecessors were responsible for sophisticated cyberattacks including Colonial Pipeline and Kaseya. The group was first detected in July 2021.
In a September brief, HC3 warned the healthcare sector of the financially motivated group and its tactics, techniques, and procedures (TTPs). In October, the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint advisory to warn organizations about BlackMatter.
The group had previously demanded ransomware payments ranging from $80,000 to $15,000,000. About half of its victims were based in the US.
Despite BlackMatter’s claims of not targeting healthcare organizations, HC3 observed at least four healthcare-related incidents tied to BlackMatter.
“The US-based organizations include a pharmaceutical consulting company, a medical testing & diagnostics company, and a dermatology clinic,” the report stated.
“A global medical technology company based in the Asia-Pacific region also suffered a BlackMatter incident. Additionally, the BlackMatter RaaS operators claimed a U.S.-based law firm providing COVID-19-related legal services as a victim.”
HC3 has not observed a BlackMatter cyberattack since October 31. On November 1, BlackMatter announced that it was shutting down operations due to pressure from law enforcement. The remaining BlackMatter victims were transferred to the group’s competitor, LockBit.
“HC3 can confirm that the BlackMatter leak site is no longer operational and no known ransomware variants are believed to be successors at this time, according to open source reporting,” the report continued.
“While the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void.”
In its September brief, HC3 urged the healthcare sector to practice proper cyber hygiene, work on patching known vulnerabilities, and train employees to recognize phishing emails in order to avoid becoming the group’s next victim.
Even though BlackMatter may be gone, these tactics remain essential to healthcare cybersecurity. The Department of Homeland Security (DHS) recently warned of potential Russian cyberattacks against US critical infrastructure as tensions rise between the US, Russia, and Ukraine.
“Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure," the January 23 DHS memo stated.
In addition, organizations across all sectors are still grappling with Log4j exploitation attempts. Microsoft observed commodity attackers and nation-state actors taking advantage of the Log4j vulnerabilities in late December.
As previously noted, the fall of one ransomware group will likely lead to the rise of another. Healthcare organizations should remain vigilant and employ comprehensive cybersecurity measures in order to mitigate risk.