With strong vigilance, protection, cyber-training and supply-chain security audits, ICS should be ready and waiting for ANY malware or ransomware resurgence.

Following the announced closure of BlackMatter ransomware group — believed to be responsible for the Olympus attack earlier this year — authorities across Asia will be watching closely for signs of the group’s resurgence.

BlackMatter, which emerged from the ashes of ransomware group DarkSide, the infamous gang behind the Colonial Pipeline attack, ceased operations from November last year, however we don’t have to look back very far to predict what is coming. Like other ransomware collectives that have gone dark – as we’ve seen most recently with the resurgence of REvil – closure doesn’t necessarily mean gone.

Shortly before the BlackMatter closure announcement, the warning was clear for Asia’s critical industries and enterprises as reports circulated on the latest victims of BlackMatter. Despite apparent agreement between US and Russian authorities on ‘off-the-table’ critical infrastructure (and Industrial Control Systems, aka ICS) targets that should be avoided by its malicious operations, NEW Cooperative Inc was hit in September 2021. The farmers’ cooperative could be categorized as critical infrastructure as it is a key part of the essential food supply chain.

Furthermore, according to BlackMatter’s ads published across cybercrime forums when they were actively recruiting collaborators earlier this year, the ransomware-as-a-service group was seeking brokers able to grant access to high value corporate networks, targeting companies with revenues of around US$100m per year or more. The networks needed between 500 and 15,000 hosts located in various regions.

If that is the case, this attack could have significant consequences for governments across Asia as they look to shore up their security. Modern supply chains are sometimes found to be vulnerable to sudden disruptions, with the full effects often understood only much later. Asian companies must be prepared.

BlackMatter’s TTP

One of the keys to overcoming the unpredictable yet seemingly imminent threat is to look at the data behind the attacks.

Technical analyses of BlackMatter ransomware executables, as well as ways the malware hinders analysis — are the most effective way to overcome and prevent against further attacks, no matter how they will resurface in future.

The tactics, techniques and procedures of BlackMatter are as follows:

  • The ransomware encrypts victims’ files with a version of the ChaCha20 and RSA algorithms, a popular stream cipher and cryptosystem, respectively.
  • It them performs a number of common ransomware actions such as deleting shadow copies or local back-ups; deleting files in the recycle bin; and terminating processes and services specified in the configuration; and changing the wallpaper to point to the README text file for decryption instructions.
  • Next, the malware attempts to thwart analysis by hiding the Windows application programming interfaces it relies on. To circumvent this, the malware resolves some of the required import functions by their hashes. 
  • To further complicate analysis, the malware sometimes uses a unique way of storing the addresses found. Instead of just storing them in a table for every resolved WinAPI address, it randomly chooses one of five different ways to encode it, and stores the encoded address together with a dynamically built code snippet that will decode it just before the call.
  • Another anti-debugging trick used by the malware is checking for the presence of a Microsoft sequence used specifically to debug certain ransomware-indicative memory bytes. If the debugger is attached, this sequence will be added and the malware will not store the address of the snippet in its custom import table, which will later result in the debugged sample crashing. The sample’s encrypted configuration is stored in the .rsrc section, which contains resource information for a number of modules. It is then further compressed, and the individual fields are base64-encoded. The sample can interact with both plain HTTP and HTTPS endpoints.

That is a lot to unpack here, but the key thing for Asian organizations to be conscious of is the indication that RaaS groups are not just highly effective, but very much able and willing to infiltrate critical infrastructure providers.

Know thy enemies

The malware has proven its ability to break through reputable malware-blocking tools — this is a strong evolution of what cyber defenders have seen and defended against before.

It goes to show that attacks on Asia’s critical infrastructure in the near future are almost inevitable.

However, given the ruthlessness and sophistication of this kind of adversary, understanding the method of attack — as well as the vulnerability landscape — is one of the most important steps to an enhanced security posture.