zephyr_p - stock.adobe.com
A wave of new BlackMatter ransomware attacks has hit multiple organisations around the world in the past few days, with notable new victims including media marketing services firm Marketron, French beverage company La Martiniquaise, and Iowa, US-based grain co-op New Cooperative.
The group, which also hit optical technology specialist Olympus earlier in September, has posted multiple new victims to its dark web leak site in recent days, according to the RansomAlert community intelligence service.
In its official statement, New Cooperative said that out of an abundance of caution, it had taken its systems offline, and the incident was now contained. A spokesperson said the firm had notified law enforcement and third-party data security experts to investigate.
In screen captures of contact between New Cooperative and BlackMatter, posted to Twitter, New Cooperative’s representative attempted to talk BlackMatter out of the attack, saying that as part of the food supply chain, it should not have been attacked as per BlackMatter’s rules.
“About 40% of grain production runs on our software, and 11 million animals [sic] feed schedules rely on us,” the New Cooperative representative supposedly said. “This will break the supply chain very shortly, and we will have to report this to our regulators and likely the public if this disruption continues. I assume you have thought that through? CISA is going to be demanding answers from us.”
In response, BlackMatter’s representative claimed the organisation did not fall under its rules. “The critical ones mean the vital needs of a person, and you earn money,” they said.
BlackMatter claims to have stolen financial and human resources data, research and development information, and the source code for New Cooperative’s proprietary SoilMap software. The Russia-based gang, which spun up over the summer after other groups, including DarkSide and REvil, went dark, is demanding a $5.9m ransom.
“Details of the attack against New Cooperative are still emerging, and the impact could be far-reaching,” said Sophos senior security adviser John Shier. “What’s notable about the attack is the company’s insistence that they are critical infrastructure and should therefore be spared as per BlackMatter’s own policy.
“However, the operators behind BlackMatter disagree with this assessment and are continuing to pursue payment from the victim. This attack will be the first to test the new US government policy on reporting attacks against critical infrastructure to CISA and the Biden administration’s response to such an attack.”
Grant Geyer, CISO and chief product officer at Claroty, a supplier of industrial security services, said the fact that BlackMatter appeared to be going back on its word should not be a surprise to anybody.
Read more about ransomware
- The debate around banning ransomware payments is highly nuanced, and we must take care to avoid overt victim-blaming, in favour of an open and honest approach, says SASIG’s Martin Smith.
- Working alongside law enforcement partners, Bitdefender has developed and released a tool to help REvil victims recover their data for free.
“Taking a cyber criminal at their word is not wise,” he said. “But whether or not this specific group is going against their word, the fact remains that critical infrastructure organisations are still a lucrative target for many other malicious actors out there. These organisations still need to shore up their defences as much as possible.
“This attack demonstrates just how deeply and broadly the economy and supply chain is interconnected. Ransomware gangs feed on the psychological impact of putting businesses integral to the supply chain between a rock and a hard place, in order to make the choice to pay the ransom the easiest path forward.”
The surge in BlackMatter activity comes days after the US authorities revealed plans to impose sanctions on unspecified traders and cryptocurrency exchanges to deter them from acting as money laundries for ransomware gangs, making it harder for cyber criminals to profit from ransomware attacks.
The sanctions, which could be imposed later this week, will also likely come alongside fresh guidance to businesses on the risks associated with paying off a ransomware gang.
ESET cyber security specialist Jake Moore said that without any truly effective ability to target the gangs themselves, it was logical to target the payment infrastructure associated with ransomware payments, but this approach would not be without its challenges.
“When companies are targeted, they can fall over with some force and become trapped between a rock and a hard place,” he said. “Creating further penalties may just increase insurance payments, which will, in turn, grow the ransomware business cycle.
“Putting education and awareness at the heart of cyber security strategy is key. Better knowledge on how attacks operate and preventative support will take out more attacks. Better backups and restoration is safer than going for those who are wedged in a terrible position working out the least costly outcome.”