The Department of Health and Human Services’ cybersecurity department, the Health Sector Cybersecurity Coordination Center (HC3), has issued a warning to organizations in the health and public health sector alerting them to an elevated risk of BlackMatter ransomware attacks.
BlackMatter is a new ransomware-as-a-service (RaaS) operation that appeared in July 2021, shortly after the DarkSide ransomware gang closed down its operation following the high-profile ransomware attack on Colonial Pipeline. BlackMatter is regarded by many cybersecurity experts as the successor to DarkSide.
The threat actors behind BlackMatter claims their project combines the best features of DarkSide, REvil, and LockBit ransomware. The gang is believed to operate out of Eastern Europe and members are Russian speaking. Attacks are not conducted in Russia, and so far only a few countries have been targeted, including the United States, Brazil, Chile, India, and Thailand. Industries targeted so far include real estate, IT services, architecture, education, finance, and the food and beverage industry.
The gang is actively recruiting initial access brokers (IABs) who can provide access to networks they have compromised to allow BlackMatter ransomware to be deployed. BlackMatter ransomware attacks typically involve data theft prior to the use of ransomware, and the gang has a data leak site where stolen data are published if the ransom is not paid. The gang has stated it does not conduct attacks on critical infrastructure organizations, nonprofits, healthcare organizations, government and defense, and the oil and gas industry.
The gang is financially motivated: The sole purpose of attacks is to make money. The gang says it is fully transparent with victims, will never attack them more than once, and will ensure that valid keys are provided to decrypt data and that exfiltrated data will not be sold if the ransom is paid.
HC3 said in its warning that it obtained information about the ransomware operation in an interview with a representative of the gang, and has also conducted an analysis of data published on its data leak site, information posted in hacking forums, its affiliate control panel, and ransom notes, and arrived at the conclusion that despite the gang’s claim not to attack healthcare organizations, there is an elevated risk of attacks on the health and public health sector.
HC3 said it has observed at least 65 instances where threat actors have sold access to the networks of healthcare organizations in the past year through posts on hacking forums. HC3 says that, so far, the BlackMatter ransomware gang has not conducted any attacks on the healthcare sector, but its predecessor, DarkSide ransomware, was used in attacks on the sector.
“HPH organizations should remain on alert despite the group’s claims to not target healthcare,” said HC3 in the alert. HC3 strongly recommends all organizations in the health and public health sector should regularly back up critical data, store those backups offline, encrypt backups, and test them to make sure file recovery is possible. It is also vital for HPH organizations to implement and maintain a cyber incident response plan, resiliency plan, and communications plan that can be implemented immediately in the event of a BlackMatter or other ransomware attack.
HC3 also recommends providing security awareness training to the workforce which should cover phishing email identification, as this is a common way for IABs to gain access to healthcare networks. Security awareness training is also a requirement of HIPAA, with the best practice being providing security awareness training twice a year.
Prompt patching is also essential and scans for vulnerabilities and misconfigurations should also be performed to allow vulnerabilities to be identified and fixed before they can be exploited.
Information about the tactics, techniques, and procedures used by the gang, Indicators of compromise, and other key information can be found in the HC3 TLP: WHITE Alert, Demystifying Blackmatter.