Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

HHS Warns Health Sector of BlackMatter Attacks

Advisory Says Ransomware Gang Is an 'Elevated Threat' for Healthcare
HHS Warns Health Sector of BlackMatter Attacks

Federal regulators are alerting healthcare and public health sector entities of the "elevated threat" for potential ransomware attacks by BlackMatter, despite the gang's purported claims that it is not targeting "critical infrastructure" organizations, such as hospitals.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

In a threat brief issued Sept. 2, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, notes that BlackMatter malware first surfaced in July, and is suspected to be the successor of DarkSide and REvil RaaS operations (see: BlackMatter Ransomware Appears to be Spawn of DarkSide).

According to the alert, a BlackMatter representative claims that the group does not attack a variety of industries, including hospitals, and if these entities are attacked, then the company can ask for "free decryption."

“We will not allow our project to be used to encrypt critical infrastructure that will attract unwanted attention to us,” BlackMatter claims, according to HC3's alert.

Cybercriminal Claims

Threat analyst Brett Callow of the security firm Emsisoft says the gang’s claims "should be taken with a pinch of salt" for a couple of reasons.

"First because they’re conscienceless criminals and cannot be trusted. Second because they will not have complete control over the affiliates," he says.

"We’re actually aware of BlackMatter attacks on healthcare providers. It’s happening," he says.

Furthermore, "even if the criminals provide healthcare organizations with a no-cost decryptor, the attacks would still represent a significant risk to lives," he says.

For instance, in the May ransomware attack on Ireland's public health system – the Health Service Executive - the Conti gang reportedly provided a free decryptor, but the recovery process still took many weeks. (see: Ransomware Gang Provides Irish Health System With Decryptor).

"As the HSE case demonstrated, recovery can be an extremely long process even when the organization has the decryptor. The disruption can last for weeks or even months," he says.

Callow also says that despite the early suspected ties to REvil, BlackMatter appears to be "a rebrand of DarkSide" - the gang responsible for the attack on Colonial Pipeline. "I have no connection between them and REvil, besides possibly shared affiliates," he notes.

BlackMatter Traits

The HC3 alert notes that BlackMatter's targeted systems are Windows and Linux servers and that the "ransomware [is] written in C that encrypts files using a combination of Salsa20 and 1024-bit RSA," HC3 says.

Additionally, HC3 says BlackMatter ransomware:

  • Attempts to mount and encrypt unmounted partitions;
  • Targets files stored locally and on network shares, as well as removable media;
  • Can terminate processes prior to encryption;
  • Deletes volume shadow copies and ignores specific directories, files or file extensions during encryption;
  • Can be configured to upload system information to a remote server via HTTP or HTTPS;
  • Collects system information such as system name, username, domain, language information and list of enumerated drives.

'Highly Sophisticated'

HC3 says the BlackMatter group is likely Eastern Europe and is Russian-speaking. Targeted countries include the U.S., India, Brazil, Chile, Thailand and others.

Targeted industries so far are legal, real estate, IT services, food and beverage, architecture, education and finance. The group is also actively seeking initial access brokers and affiliates for ransomware deployment, the advisory says.

BlackMatter is a "highly sophisticated, financially motivated cybercriminal operation," HC3 notes.

BlackMatter is believed to be behind a Sept. 8 cyberattack on Olympus, a Japanese company that manufactures optics and reprography products (see: Olympus: 'Potential Cyber Incident' Disrupted EMEA System).

BlackMatter is just one of approximately 20 known and active ransomware gangs working globally, says retired supervisory FBI agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP.

"All these ransomware gangs are … a true and present danger to the healthcare sector in particular," he says.

"The healthcare sector deals with life and death matters on a daily basis … They are not risking just the encryption of their business documents, but in many instances these ransomware attacks are also attacking their 'operational technology' networks that control the actual infrastructure of these healthcare entities and put real lives at risk."

Steps to Take

HC3 provides a number of suggested defense and mitigation steps for healthcare sector entities to take. Those include:

  • Implementing whitelisting technology to ensure that only authorized software is allowed to execute;
  • Providing access control based on the principal of least privilege;
  • Maintaining an anti-malware solution;
  • Conducting system hardening to ensure proper configurations;
  • Disabling the use of SMBv1 - and all other vulnerable services and protocols - and requiring at least SMBv2.

In addition, entities should restrict, minimize or eliminate RDP usage, HC3 says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.