By Chris Grove
Following the reported closure of ransomware group BlackMatter earlier this month, Australian authorities will be watching closely for signs of resurgence.
BlackMatter, which has been compared to DarkSide, the infamous gang behind the Colonial Pipeline attack, ceased operations from November 5, however we don’t have to look back very far to predict what is coming. Like other ransomware collectives that have gone dark – as we’ve seen most recently with the resurgence of REvil – closure doesn’t necessarily mean gone.
Shortly before the announced closure, the warning was clear for Australia’s critical industries and enterprises as reports circulated on the latest victims of BlackMatter. Despite apparent agreement between US and Russian authorities on ‘off-the-table’ critical infrastructure targets that should be avoided by its malicious operations, NEW Cooperative Inc was hit in September. The US company, which operates as a farmers’ cooperative, could be categorised as critical infrastructure as it is a key part of the essential food supply chain.
According to BlackMatter’s ads published across cybercrime forums when they were actively recruiting collaborators earlier this year, the ransomware-as-a-service (RaaS) group was seeking brokers able to grant access to high value corporate networks, targeting companies with revenues of around A$130 million per year or more. The requirements were that the networks needed between 500 and 15,000 hosts located in the US, the UK, Canada, or Australia.
Additionally, the recent aggressive actions taken by the U.S. Government in placing a $10M bounty on the identity of any individual that held or holds a key leadership position in DarkSide or REvil, a $5M bounty on the identification of anyone participating in a DarkSide or REvil related cyber incident, as well as the recent arrests of several leaders and the seizures of many millions of $ in bitcoins demonstrate that the U.S. is willing and capable of taking action against these groups. As a result, many criminal enterprises will move on to targets that won’t respond with such vigour or force, but are still in countries rich enough to pay a hefty ransom. Unfortunately, Australia is one of the top targets on that list.
As the heat is turned up on these criminal gangs, their desire to remain ‘under the radar’ will cause them to avoid targets that are likely to motivate a strong response. If that’s the case, this attack could have significant consequences for Australia as the Government continues to progress the recently passed Security of Critical Infrastructure (SOCI) Bill. Modern supply chains are sometimes found to be vulnerable to sudden disruptions, with the full effects often understood only much later. Australian companies must be prepared.
One of the keys to overcoming is to look at the data behind the attack. Technical analysis of the BlackMatter ransomware executable, as well as ways the malware hinders analysis is the most effective way to overcome and prevent against further attacks – whether from a rematerialized ‘new’ RaaS group, affiliates of the now defunct BlackMatter realigning themselves with other, active ransomware groups, or totally new ransomware collectives formed.
HOW IT OPERATES
The ransomware encrypts victims’ files with a version of the ChaCha20 and RSA algorithms, a popular stream cipher and cryptosystem, respectively. RSA is used to ensure that decryption is not possible without the private key stored on the attackers’ side. The malware leaves a note in the form of a README file with the costly steps to follow to decrypt.
The malware performs a number of common ransomware actions such as deleting shadow copies or local back-ups, deleting files in the recycle bin, and terminating processes and services specified in the configuration, changing the wallpaper to point to the README text file for decryption instructions.
THE TECHNICAL PART
The BlackMatter malware attempts to thwart analysis by hiding which Windows application programming interfaces, or WinAPIs, it relies on. To circumvent this, the malware resolves some of the required import functions by their hashes.
To further complicate analysis, the malware sometimes uses a unique way of storing the addresses found. Instead of just storing them in a table for every resolved WinAPI address, it randomly chooses one of five different ways to encode it and stores the encoded address together with a dynamically built code snippet that will decode it just before the call.
Another anti-debugging trick used by the malware is checking for the presence of a Microsoft sequence used specifically to debug certain ransomware-indicative memory bytes. If the debugger is attached, this sequence will be added and the malware won’t store the address of the snippet in its custom import table, which will later result in the debugged sample crashing.
The sample’s encrypted configuration is stored in the .rsrc section, which contains resource information for a number of modules. It’s then further compressed, and the individual fields are base64-encoded, a group of encoding schemes designed to carry data stored in binary formats across channels that support text content. The sample can interact with both plain HTTP and HTTPS endpoints.
There’s a lot to unpack here, but the key thing for Australian organisations to be conscious of is the indication that RaaS groups are not just highly effective, but very much able and willing to infiltrate critical infrastructure providers. The malware has proven its ability to break through reputable malware-blocking tools – this is a strong evolution of what we’ve seen and defended against before.
Given the ruthlessness and sophistication of this kind of adversary, understanding the attack, as well as addressing key areas of its specific threat and vulnerability landscape, is the first and arguably most important step in enhancing our security posture against future ransomware attacks.
About the Author | Chris Grove is Product Director for industrial cyber security and operational technology specialist Nozomi Networks