Zffoto - stock.adobe.com

BlackMatter Ransomware Attacks Threaten Healthcare, HC3 Says

HC3, HHS’s cybersecurity arm, released a threat brief breaking down the BlackMatter ransomware group’s origins, threat tactics, and likely targets.

The Health Sector Cybersecurity Coordination Center (HC3) recently released a detailed threat brief on BlackMatter ransomware, a group that first surfaced in July 2021 shortly after the notorious ransomware group REvil/Sodinokibi abruptly took its website down.

HC3 is an arm of HHS that was created with the goal of protecting the healthcare sector from cyber threats by highlighting various cybersecurity topics, best practices, and mitigation strategies.

According to the brief, BlackMatter claimed to incorporate the “best” features of DarkSide, Lockbit 2.0, and REvil/Sodinokibi into its operations. The concoction resulted in a sophisticated, financially motivated ransomware-as-a-service (Raas) program.

HC3 obtained its information from an interview with a BlackMatter representative, hacking forum advertisements, ransom notes, affiliate panel information, and the BlackMatter ransomware public extortion blog.

As a result of its findings, HC3 concluded that the Health and Public Health Sector (HPH) is at an elevated risk when it comes to BlackMatter and should remain vigilant.

BlackMatter’s Origins

HC3 stated that the group likely originated in Eastern Europe and is Russian-speaking. The group has targeted victims in the United States, Brazil, Chile, India, and Thailand so far. BlackMatter has focused on the real estate, IT services, food and beverage, architecture, education, and finance sectors.

The group claimed that it would not target hospitals, critical infrastructure facilities, nonprofit companies, government, the defense industry, or the oil and gas industry. However, the brief noted that “These details are what BlackMatter claims to be, and may not be accurate.”

The brief also suggested that BlackMatter may be the latest successor of DarkSide and REvil/Sodinokibi. Technical analysis revealed “an obvious connection between BlackMatter and DarkSide and REvil samples,” the brief stated.

As a result, the healthcare sector should remain on high alert. 

DarkSide claimed responsibility for the cyberattack on US critical infrastructure entity Colonial Pipeline in May, which resulted in supply chain disruptions and motivated President Biden to sign an executive order on improving cybersecurity nationwide. 

REvil/Sodinokibi deployed ransomware on US meat supplier JBS in May and IT management software company Kaseya in July, resulting in more supply chain disruptions and widespread concern. The group also claimed responsibility for a cyberattack on University Medical Center of Southern Nevada that compromised the personal data of over 1.3 million individuals.

REvil/Sodinokibi took its infrastructure and websites offline on July 12, 2021. On July 19, a user account with the alias “BlackMatter” was registered on the forum. On July 21, a spokesperson for the group announced its new ransomware on high tier hacking forums.

By August 11, BlackMatter began announcing its first victims on its data leak and extortion blog.

Tactics and Goals

Black Matter appears to be strictly financially motivated, according to its website and interviews. In screenshots from the group’s website added to the brief, BlackMatter states: “We are a team that unites people according to one common interest – money.”

“We provide the best service for our clients and partners compared to our competitors. We rely on honesty and transparency in our dealings with our victims. We never attack the company twice and always fulfill our obligations.”

BlackMatter said that it prefers to target organizations with over $100 million in revenue, but HC3 found that most of its victims so far have not reached its revenue criteria.

The group uses ransomware written in C and typically targets Windows and Linux servers. HC3 identified the group as a “highly-sophisticated, financially-motivated cybercriminal operation.”

BlackMatter is actively searching for initial access brokers (IABs), individuals who serve as a middleman by selling access to compromised networks to ransomware groups for further exploitation. IABs typically play a major part in the success of ransomware operations.

IABs sell credentials, VPN login information, and web shells to ransomware groups.

“HC3 has observed at least 65 instances of threat actors selling network access to healthcare entities on hacking forums in the past year,” the brief warned.

BlackMatter usually attempts to mount and encrypt unmounted partitions, target locally stored files, and terminate processes before encryption. In addition, the ransomware code can be configured to upload system information to a remote server using HTTP or HTTPS.

Mitigation strategies

“While there have not been any public healthcare victims yet, BlackMatter’s suspected predecessors targeted the healthcare sector,” the brief maintained.

“HPH organizations should remain on alert despite the group’s claims to not target healthcare.”

HC3 recommended that organizations maintain offline, encrypted data backups and engage in regular testing. The brief also suggested that organizations maintain a cyber incident response plan, communications plan, and resiliency plan.

It is crucial that healthcare organizations practice good cyber hygiene, train employees to recognize phishing emails, and work on patching known vulnerabilities and misconfigurations in order to avoid becoming the group’s next victim.

Next Steps

Dig Deeper on Cybersecurity strategies