CISA, FBI, and NSA warn of BlackMatter attacks on agriculture and other critical infrastructure
Image: no_one_cares on Unsplash
Andrea Peterson October 18, 2021

CISA, FBI, and NSA warn of BlackMatter attacks on agriculture and other critical infrastructure

CISA, FBI, and NSA warn of BlackMatter attacks on agriculture and other critical infrastructure

A joint Cybersecurity Advisory issued Monday by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) warns that BlackMatter ransomware “has targeted multiple U.S. critical infrastructure entities,” including two within the U.S. food and agriculture sector.  

Previous news reports linked attacks on U.S. grain cooperatives in Iowa and Minnesota to BlackMatter, NEW Cooperative and Crystal Valley Cooperative, highlighting digital security risks to the U.S. and global food supply chain

The new advisory provides an overview of the threat, its tactics, detection signatures to help identify and block network activity associated with the threat, and mitigation best practices. 

“First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows  the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims,” the advisory explains. Black Matter is a “possible rebrand” of Darkside, another major ransomware Raas tool active last fall through this May, it adds.

In an interview published by Recorded Future in August, a BlackMatter representative claimed they sought to incorporate the most effective aspects of prior ransomware operations REvil and DarkSide.

BlackMatter ransom demands have ranged from $80,000 to $15,000,000 in Monero and Bitcoin, per the advisory. 

The agencies urge critical infrastructure organizations to implement the detection signatures and follow security best practices, including strong passwords and multi-factor authentication. They also recommend implementing and enforcing backup procedures as well as network segmentation and monitoring, among other steps.

In a related press release, agency officials also urged victims to report attacks. 

“Unfortunately, too many ransomware incidents go unreported, and because silence benefits the cybercriminals the most, we ask targeted entities to contact their local FBI Field Office and speak to a cyber agent,” said Bryan Vorndran, Assistant Director of the FBI’s Cyber Division.

Andrea (they/them) is senior policy correspondent at The Record and a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.