HHS Warns Health Sector of BlackMatter AttacksAdvisory Says Ransomware Gang Is an 'Elevated Threat' for Healthcare
Federal regulators are alerting healthcare and public health sector entities of the "elevated threat" for potential ransomware attacks by BlackMatter, despite the gang's purported claims that it is not targeting "critical infrastructure" organizations, such as hospitals.
In a threat brief issued Sept. 2, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, notes that BlackMatter malware first surfaced in July, and is suspected to be the successor of DarkSide and REvil RaaS operations (see: BlackMatter Ransomware Appears to be Spawn of DarkSide).
According to the alert, a BlackMatter representative claims that the group does not attack a variety of industries, including hospitals, and if these entities are attacked, then the company can ask for "free decryption."
“We will not allow our project to be used to encrypt critical infrastructure that will attract unwanted attention to us,” BlackMatter claims, according to HC3's alert.
Threat analyst Brett Callow of the security firm Emsisoft says the gang’s claims "should be taken with a pinch of salt" for a couple of reasons.
"First because they’re conscienceless criminals and cannot be trusted. Second because they will not have complete control over the affiliates," he says.
"We’re actually aware of BlackMatter attacks on healthcare providers. It’s happening," he says.
Furthermore, "even if the criminals provide healthcare organizations with a no-cost decryptor, the attacks would still represent a significant risk to lives," he says.
For instance, in the May ransomware attack on Ireland's public health system – the Health Service Executive - the Conti gang reportedly provided a free decryptor, but the recovery process still took many weeks. (see: Ransomware Gang Provides Irish Health System With Decryptor).
"As the HSE case demonstrated, recovery can be an extremely long process even when the organization has the decryptor. The disruption can last for weeks or even months," he says.
Callow also says that despite the early suspected ties to REvil, BlackMatter appears to be "a rebrand of DarkSide" - the gang responsible for the attack on Colonial Pipeline. "I have no connection between them and REvil, besides possibly shared affiliates," he notes.
The HC3 alert notes that BlackMatter's targeted systems are Windows and Linux servers and that the "ransomware [is] written in C that encrypts files using a combination of Salsa20 and 1024-bit RSA," HC3 says.
Additionally, HC3 says BlackMatter ransomware:
- Attempts to mount and encrypt unmounted partitions;
- Targets files stored locally and on network shares, as well as removable media;
- Can terminate processes prior to encryption;
- Deletes volume shadow copies and ignores specific directories, files or file extensions during encryption;
- Can be configured to upload system information to a remote server via HTTP or HTTPS;
- Collects system information such as system name, username, domain, language information and list of enumerated drives.
HC3 says the BlackMatter group is likely Eastern Europe and is Russian-speaking. Targeted countries include the U.S., India, Brazil, Chile, Thailand and others.
Targeted industries so far are legal, real estate, IT services, food and beverage, architecture, education and finance. The group is also actively seeking initial access brokers and affiliates for ransomware deployment, the advisory says.
BlackMatter is a "highly sophisticated, financially motivated cybercriminal operation," HC3 notes.
BlackMatter is believed to be behind a Sept. 8 cyberattack on Olympus, a Japanese company that manufactures optics and reprography products (see: Olympus: 'Potential Cyber Incident' Disrupted EMEA System).
BlackMatter is just one of approximately 20 known and active ransomware gangs working globally, says retired supervisory FBI agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP.
"All these ransomware gangs are … a true and present danger to the healthcare sector in particular," he says.
"The healthcare sector deals with life and death matters on a daily basis … They are not risking just the encryption of their business documents, but in many instances these ransomware attacks are also attacking their 'operational technology' networks that control the actual infrastructure of these healthcare entities and put real lives at risk."
Steps to Take
HC3 provides a number of suggested defense and mitigation steps for healthcare sector entities to take. Those include:
- Implementing whitelisting technology to ensure that only authorized software is allowed to execute;
- Providing access control based on the principal of least privilege;
- Maintaining an anti-malware solution;
- Conducting system hardening to ensure proper configurations;
- Disabling the use of SMBv1 - and all other vulnerable services and protocols - and requiring at least SMBv2.
In addition, entities should restrict, minimize or eliminate RDP usage, HC3 says.