The BlackMatter ransomware strain used in numerous attacks against U.S. critical infrastructure entities and other large organizations in recent months has serious logical flaws in its code that limit the malware’s effectiveness in certain situations.
Organizations that can trigger faulty logic could mitigate the damage BlackMatter could cause to their environment, Illusive said in a report Friday.
Illusive researchers discovered the vulnerability when they observed that the ransomware failed to encrypt remote computer shares in the company’s test environment. Close inspection of the code revealed that BlackMatter would only encrypt other computers on the same network if the environment was configured in a specific way.
The logic flaw gives organizations a way to prevent BlackMatter from encrypting file sharing, said Shahar Zelig, a security researcher at Illusive.
“But it’s important to note that infected devices will still be encrypted,” he said. “If an attacker compromises multiple devices, it can still run BlackMatter to encrypt all of them. This logic flaw specifically targets remote sharing.”
BlackMatter surfaced in July 2021 after the DarkSide ransomware-as-a-service operation shut down due to an attack on the Colonial Pipeline, sparking concern and reactions from the White House all the way down. Like DarkSide, BlackMatter is distributed under a ransomware-as-a-service model. The malware has been used to attack at least two organizations belonging to the U.S. food and agriculture sector as well as several other critical infrastructure targets. The operators of the ransomware have released data belonging to at least 10 large organizations in the US, Canada, UK, India, Brazil, Thailand and Chile.
Security vendors who analyzed the malware described its payload as being efficient, small (about 80Kb in size), well obfuscated, and mostly running in memory.One Analysis by Varonis Operators showing BlackMatter often gain initial access by compromising vulnerable edge devices, including remote desktops and VPNs, or by misusing login credentials obtained from other sources.
Concerns about BlackMatter prompt US Cybersecurity and Infrastructure Security Agency (CISA) Announcement in October Warn federal agencies about the threat and provide information on how to detect it in their environment.
Analysis of hallucinations Focus on how BlackMatter encrypts file shares to maximize damage. BlackMatter first enumerates all computer accounts in Active Directory. Next, it retrieves the properties of each computer account, then enumerates each computer’s shares, and finally attempts to encrypt each available share.
“Logical flaws occur in the second stage,” Zeliger said. He noted that if a computer lacks the “dNSHostName” attribute, BlackMatter ends the process of collecting a list of computer attributes.
“In a nutshell, BlackMatter retrieves all computers from Active Directory and then lists the attributes of each computer,” Zelig said. “But if there is a computer without the ‘dNSHostName’ attribute, it stops.”
Illusive also found that BlackMatter only enumerates computer accounts in the default “Computers” container on infected systems. Therefore, computers stored in different organizational units will escape encryption.
logical flaw
Not all ransomware tools attempt to encrypt remote shares. In fact, most ransomware tools don’t have that capability, Zelig said. The problem with BlackMatter’s logic is that it assumes that every computer object has a dNSHostName property.
“In most cases, this assumption is correct — whenever a computer is added to Active Directory, it automatically includes its dNSHostName as an attribute,” he said.
The logic flaw gives organizations the opportunity to try to proactively mitigate BlackMatter’s impact by creating computer accounts without the dnsHostName attribute, and this will also be the first to appear when the malware begins its initial enumeration process, Illusive said. For example, by creating an account named “aaa-comp” without the dnsHostName attribute, an organization might block a remote share exposed by BlackMatter encryption.
“In order to trigger the faulty logic, an administrator should create a computer object whose name will appear first in an alphanumeric list, and ensure that its dNSHostName property is not set,” Zelig noted.
