How to Proactively Limit Damage From BlackMatter Ransomware

Logic flaw exists in malware that can be used to prevent it from encrypting remote shares, security vendor says.

The BlackMatter ransomware strain that's been used in numerous attacks against US critical infrastructure entities and other large organizations in recent months has a serious logic flaw in its code that limits the malware's effectiveness in some situations.

Organizations that can trigger the faulty logic can potentially mitigate the damage that BlackMatter can cause in their environment, Illusive said in a report Friday.

Illusive researchers discovered the flaw when they observed the ransomware failing to encrypt shares of remote computers in the company's test environment. A closer inspection of the code showed that BlackMatter encrypts other computers in the same network only if the environment is configured in a particular way.

The logic flaw gives organizations a way to prevent BlackMatter from encrypting file shares, says Shahar Zelig, security researcher at Illusive.

"But it is important to note that the compromised device would still be encrypted," he says. "And if an attacker has compromised multiple devices, it could still run BlackMatter to encrypt all those devices. This logic flaw is specially about remote shares."

BlackMatter surfaced in July 2021 soon after the DarkSide ransomware-as-a-service operation shut down following an attack on Colonial Pipeline that stirred concern — and reaction — all the way from the White House down. Like DarkSide, BlackMatter is being distributed under a ransomware-as-a-service model. The malware has been used in attacks against at least two organizations belonging to the US food and agriculture sector and several other critical infrastructure targets. Operators of the ransomware have published data belonging to at least 10 large organizations across the US, Canada, UK, India, Brazil, Thailand, and Chile.

Security vendors that have analyzed the malware describe its payload as highly efficient, small (about 80Kb in size), well-obfuscated, and running mostly in memory. An analysis conducted by Varonis showed the operators of BlackMatter typically gain initial access by compromising vulnerable edge devices, including remote desktops and VPNs, or by abusing login credentials obtained from other sources. 

Concerns over BlackMatter prompted the US Cybersecurity & Infrastructure Security Agency (CISA) to issue an advisory in October warning federal agencies about the threat and providing information on how to detect it in their environments.

Illusive's analysis focused on how BlackMatter encrypts file shares to maximize damage. BlackMatter first enumerates all the computer accounts in Active Directory. Next it retrieves the attributes for each computer account, then enumerates the shares for each computer, and finally attempts to encrypt each available share.

"The logic flaw occurs in the second stage," Zelig says. If a computer lacks the "dNSHostName" attribute, then BlackMatter ends the process of gathering the list of computer attributes, he notes. 

"To put it succinctly, BlackMatter retrieves all of the computers from Active Directory and then lists the attributes of each computer," Zelig says. "But if there is a computer without the 'dNSHostName' attribute, then it would stop." 

Illusive also discovered that BlackMatter only enumerates computer accounts in the default "computers" container on a compromised system. So computers stored in a different organizational unit would escape encryption.

Flaw in the Logic
Not all ransomware tools try to encrypt remote shares. In fact, the feature is not present in most ransomware tools, Zelig says. The issue with BlackMatter’s logic is that it assumes every computer object will have a dNSHostName attribute.

"In most cases, this assumption is correct – whenever a computer is added to Active Directory, it will automatically include its dNSHostName as an attribute," he says.

The logic flaw gives organizations an opportunity to try and proactively mitigate BlackMatter's impact by creating a computer account without the dnsHostName attribute, and that will also appear first when the malware begins its initial enumeration process, Illusive said. As an example, by creating an account named "aaa-comp" without the dnsHostName attribute, an organization could potentially prevent BlackMatter from encrypting exposed remote shares.

"To trigger the faulty logic, an admin should create a computer object with a name that will appear first in an alphanumeric list and ensure that its dNSHostName attribute is not set," Zelig noted.

Recommended Reading: