BlackMatter ransomware strikes again (but Sophos stops it)
Ransomware is a fear-based attack vector. The greater the fear (i.e., loss of revenue, negative brand impact, human cost) the greater the ransom demand.
This is why ransomware groups are often looking to snag high-value targets that are almost too big to fail. It increases the likelihood that the victims will pay.
Hitting the food supply chain would certainly raise the fear factor, which is why it’s no surprise to see a recent ransom attack demanding almost $6 million from Iowa-based food operator New Cooperative. The group behind this attack is none other than BlackMatter.
In early August, we wrote about BlackMatter emerging from the shadows of DarkSide Ransomware-as-a-Service (RaaS). DarkSide is famously associated with the Colonial Pipeline attack; another high-profile, disruptive ransomware event.
This current iteration of Black Matter appears very similar to what we reported previously, including techniques such as the automatic printing of the ransom note.
Sophos Intercept X stops BlackMatter ransomware
Customers running Sophos Intercept X endpoint protection can rest easy knowing they’re protected by multiple layers of defense against ransomware attacks, including BlackMatter.
Sophos’ deep learning malware detection is able to identify BlackMatter ransomware pre-execution. This happens by using artificial intelligence to compare the “DNA” of the executable to the “DNA” of the entire history of malware. If the file appears similar to ransomware, it will be blocked before it’s able to run.
In addition to deep learning, Intercept X includes CryptoGuard anti-ransomware technology. This defense layer detects malicious encryption processes and shuts them down before they can spread. The runtime behavior engine also detects threats running in memory, and any files that happen to get encrypted are rolled back to their previously-safe states.
BlackMatter resources
- BlackMatter ransomware emerges from the shadow of DarkSide
- A defender’s view inside a DarkSide ransomware attack
- What IT security teams can learn from the Colonial Pipeline ransomware attack
Source: Sophos