CISA, FBI, and NSA warn of BlackMatter attacks on agriculture and other critical infrastructure

A joint Cybersecurity Advisory issued Monday by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) warns that BlackMatter ransomware “has targeted multiple U.S. critical infrastructure entities,” including two within the U.S. food and agriculture sector.  

Previous news reports linked attacks on U.S. grain cooperatives in Iowa and Minnesota to BlackMatter, NEW Cooperative and Crystal Valley Cooperative, highlighting digital security risks to the U.S. and global food supply chain. 

The new advisory provides an overview of the threat, its tactics, detection signatures to help identify and block network activity associated with the threat, and mitigation best practices. 

“First seen in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool that allows  the ransomware's developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims,” the advisory explains. Black Matter is a “possible rebrand” of Darkside, another major ransomware Raas tool active last fall through this May, it adds.

In an interview published by Recorded Future in August, a BlackMatter representative claimed they sought to incorporate the most effective aspects of prior ransomware operations REvil and DarkSide.

BlackMatter ransom demands have ranged from $80,000 to $15,000,000 in Monero and Bitcoin, per the advisory. 

The agencies urge critical infrastructure organizations to implement the detection signatures and follow security best practices, including strong passwords and multi-factor authentication. They also recommend implementing and enforcing backup procedures as well as network segmentation and monitoring, among other steps.

In a related press release, agency officials also urged victims to report attacks. 

"Unfortunately, too many ransomware incidents go unreported, and because silence benefits the cybercriminals the most, we ask targeted entities to contact their local FBI Field Office and speak to a cyber agent,” said Bryan Vorndran, Assistant Director of the FBI's Cyber Division.