A victim of a ransomware attack paid to restore access to their network, but the cybercriminals did not hold up their end of the deal. The real-life incident, as detailed by cybersecurity researchers at Barracuda Networks, occurred in August 2021, when hackers from the BlackMatter ransomware group used a phishing email to compromise a single victim's account at an undisclosed company. First seen in July 2021, BlackMatter is a ransomware-as-a-service (RaaS) tool that allows the ransomware's developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, a RaaS active from September 2020 through May 2021. From that initial entry point, the attackers expanded their access to the network by moving laterally around the infrastructure, ultimately leading to the point where they could install hacking tools and steal sensitive data.
See: https://redskyalliance.org/xindustry/blackmatter-ransomware-cisa-bulletin-tlp-white
Stealing sensitive data has become a common part of ransomware attacks. Criminals leverage it as part of their extortion attempts, threatening to release it if a ransom isn't received. The attackers appear to have had access to the network for at least a few weeks, seemingly going undetected before systems were encrypted and a ransom was demanded to be paid in Bitcoin.
Cybersecurity agencies warn that despite encrypted networks, victims should not pay ransom demands for a decryption key because this only shows hackers that such attacks are effective. Despite this, the unidentified organization chose to pay the ransom after negotiating the payment down from half the original demand. But even though the company gave in to the extortion demands, the BlackMatter group still leaked the data a few weeks later, providing a lesson in why you should never trust cyber criminals.
Cybersecurity responders from Barracuda Networks https://www.barracuda.com helped the victim isolate the infected systems, bring them back online, and restore them from backups. Following an audit of the network, multi-factor authentication (MFA) was applied to accounts, suggesting that a lack of MFA helped the attackers gain and maintain access to accounts in the first place.
A few months after the incident, BlackMatter announced it was shutting down, recommending that those using the Ransomware-as-a-Service scheme should switch to LockBit. According to Barracuda's report, ransomware attacks are on the rise, with more than double the number of attacks targeting key sectors, including healthcare, education, and local government.
Researchers also warn that the number of recorded ransomware attacks against critical infrastructure has quadrupled over the last year. However, the report suggests there are reasons for optimism. "The good news is that in our analysis of highly publicized attacks, we saw fewer victims paying the ransom and more businesses standing firm thanks to better defenses, especially in attacks on critical infrastructure," a Barracuda spokesman stated.
It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties sponsoring or benefitting from the ransom payments.
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company wide.
- For USA readers, join and become active in your local Infragard chapter; there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cyber security software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications directed at your domains. RedXray service is $500 a month and provides threat intelligence on ten (10) cyber threat categories, including Keyloggers, without having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments