Week 2

Article: BlackMatter Ransomware Attacks Threaten Healthcare, HC3 Says

Author: Jill McKeon

Published: Sept 09, 2021

Probably the most interesting article I’ve read all week! BlackMatter is a ransomware group that provides RaaS – Ransomware as a Service that has one motivation – $$.

BlackMatter has roots in Eastern Europe and have targeted victims North/South America and Asia with a focus on real estate, IT, F&B, architecture, education and finance sectors. Though it claims to “not target hospitals, critical infrastructure facilities, nonprofit companies, government, the defense industry, or the oil and gas industry” it is imperative to know that it’s connection to DarkSide and REvil/Sodinokibi is making that claim doubtful. (Darkside was the threat actor in the the Colonial Pipeline hack.)

The BlackMatter group makes it a business to sell credentials, VPN logins  and webshells to ransomware groups.

Highly recommend you read the article. It is insightful into how bold these cybercriminals are. No longer even a secret. Now it’s a service.

Source: https://healthitsecurity.com/news/blackmatter-ransomware-attacks-threaten-healthcare-hc3-says

This is a good example of knowing your intended target and providing the right context to increase perceived legitimacy, e.g. capitalizing on Microsoft’s recent announcement of Windows 11.  Specifically, I thought the following items were interesting and relevant to our upcoming discussion on reconnaissance.

The FIN7 script checked for, and terminated itself, if the following were found on the victim’s machine:

• Eastern European languages in use
• Running within a virtual environment such as VMware or Virtual Box

The items above would be atypical for their ideal victim.  Stopping the script when the above criteria is met helps avoid detection by security researchers and extends the lifespan of the attack.

https://thehackernews.com/2021/09/fin7-hackers-using-windows-11-themed.html