How to Proactively Limit Damage From BlackMatter Ransomware

Logic flaw exists in malware that can be used to prevent it from encrypting remote shares, security vendor says.

The BlackMatter ransomware strain thats been used in numerous attacks against US critical infrastructure entities and other large organizations in recent months has a serious logic flaw in its code that limits the malwares effectiveness in some situations.
Organizations that can trigger the faulty logic can potentially mitigate the damage that BlackMatter can cause in their environment, Illusive said in a report Friday.
Illusive researchers discovered the flaw when they observed the ransomware failing to encrypt shares of remote computers in the companys test environment. A closer inspection of the code showed that BlackMatter encrypts other computers in the same network only if the environment is configured in a particular way.
The logic flaw gives organizations a way to prevent BlackMatter from encrypting file shares, says Shahar Zelig, security researcher at Illusive.
But it is important to note that the compromised device would still be encrypted, he says. And if an attacker has compromised multiple devices, it could still run BlackMatter to encrypt all those devices. This logic flaw is specially about remote shares.
BlackMatter
surfaced in July 2021 soon after the DarkSide ransomware-as-a-service operation shut down following an attack on
Colonial Pipeline
that stirred concern — and reaction — all the way from the White House down. Like DarkSide, BlackMatter is being distributed under a ransomware-as-a-service model. The malware has been used in attacks against at least two organizations belonging to the US food and agriculture sector and several other critical infrastructure targets. Operators of the ransomware have published data belonging to at least 10 large organizations across the US, Canada, UK, India, Brazil, Thailand, and Chile.
Security vendors that have analyzed the malware describe its payload as highly efficient, small (about 80Kb in size), well-obfuscated, and running mostly in memory. An
analysis conducted by Varonis
showed the operators of BlackMatter typically gain initial access by compromising vulnerable edge devices, including remote desktops and VPNs, or by abusing login credentials obtained from other sources.
Concerns over BlackMatter prompted the US Cybersecurity & Infrastructure Security Agency (CISA) to
issue an advisory in October
warning federal agencies about the threat and providing information on how to detect it in their environments.
Illusives analysis
focused on how BlackMatter encrypts file shares to maximize damage. BlackMatter first enumerates all the computer accounts in Active Directory. Next it retrieves the attributes for each computer account, then enumerates the shares for each computer, and finally attempts to encrypt each available share.
The logic flaw occurs in the second stage, Zelig says. If a computer lacks the dNSHostName attribute, then BlackMatter ends the process of gathering the list of computer attributes, he notes.
To put it succinctly, BlackMatter retrieves all of the computers from Active Directory and then lists the attributes of each computer, Zelig says. But if there is a computer without the dNSHostName attribute, then it would stop.
Illusive also discovered that BlackMatter only enumerates computer accounts in the default computers container on a compromised system. So computers stored in a different organizational unit would escape encryption.
Flaw in the Logic
Not all ransomware tools try to encrypt remote shares. In fact, the feature is not present in most ransomware tools, Zelig says. The issue with BlackMatter’s logic is that it assumes every computer object will have a dNSHostName attribute.
In most cases, this assumption is correct – whenever a computer is added to Active Directory, it will automatically include its dNSHostName as an attribute, he says.
The logic flaw gives organizations an opportunity to try and proactively mitigate BlackMatters impact by creating a computer account without the dnsHostName attribute, and that will also appear first when the malware begins its initial enumeration process, Illusive said. As an example, by creating an account named aaa-comp without the dnsHostName attribute, an organization could potentially prevent BlackMatter from encrypting exposed remote shares.
To trigger the faulty logic, an admin should create a computer object with a name that will appear first in an alphanumeric list and ensure that its dNSHostName attribute is not set, Zelig noted.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
How to Proactively Limit Damage From BlackMatter Ransomware