Here we go again. The latest ransomware group making headlines is BlackMatter, which purports to maintain a set of ethics while it attacks most corporate networks in the United States, the United Kingdom and others across the world.
We wanted to learn more, so we connected with Satnam Narang, staff research engineer at Tenable, who has long researched these groups. Take a look…
Smart Industry: How does BlackMatter compare to other high-profile ransomware groups?
Satnam: At the moment, there are signs that point to BlackMatter being the successor to REvil and Darkside, either inspired by these groups or a rebranding effort. There isn’t a lot of data at the moment in terms of victims of BlackMatter. However, based on a recent interview conducted with a representative from BlackMatter, they say the only time victims appear on their leak website is when the ransom hasn’t been paid, but so far, they have already started negotiations with victims and they will never publish an entry while discussions are ongoing.
The success of ransomware-as-a-service groups like BlackMatter will depend on a variety of factors, but will primarily hinge on the affiliates that are part of their program. If BlackMatter is able to capture the void left by REvil and Darkside, they’ll be just as successful as those groups, though there are other ransomware groups out there jockeying for position at the top of the ransomware game.
Smart Industry: BlackMatter released a list of orgs that it won’t target, (healthcare, schools and local governments) and is instead targeting companies with annual revenue of $100M+. Why are hackers moving away from low-hanging fruit targets, and toward global companies?
Satnam: By attacking healthcare, schools, governments and critical infrastructure, ransomware groups face greater scrutiny and attention from governments and law enforcement. So it makes complete sense that these groups more explicitly forbade targeting these institutions. That said, because the groups themselves are not the ones doing the attacking, the onus falls on the affiliates that participate in the ransomware-as-a-service ecosystem to follow these guidelines.
It is likely that BlackMatter is going after larger enterprises because of the greater likelihood of a ransom payment. Larger companies can often work through their cyber-insurance policies to make ransom payments and they’re also incentivized to pay up to limit bad press, which could hurt their brand.
Smart Industry: Why do ransomware groups release lists of targets they won't target? Will they stick to it, and are there any loopholes?
Satnam: In this instance, it is likely part of their recruiting strategy for the affiliates interested in their ransomware-as-a-service offering. By defining what targets are off-limits, they hope to weed out potential bad actors from trying to push the envelope.
Smart Industry: What can manufacturers, in particular, do to protect themselves from groups like BlackMatter?
Satnam: Ransomware groups like BlackMatter rely on their affiliates to breach networks. The methods affiliates use will vary, so it is important for manufacturers (as well as other organizations) to take stock and do their due diligence to identify and patch-vulnerable software and devices within their networks, have up-to-date endpoint and secure email-gateway solutions in place and audit their network for misconfigurations in their active directory. It is also important for organizations to prepare for the possibility of a successful ransomware attack and have an incident-response playbook in place for how to respond.
