Threat Research Blog January 7, 2022

Preventing BlackMatter Ransomware from Encryption of Available Remote Share

By Shahar Zelig
Ransomware, Threat Research

Intro

During the last three months of 2021, Illusive researchers have seen BlackMatter ransomware attacks spread throughout the entire world, including hitting huge companies. CISA published an alert about BlackMatter and many detailed technical reports had been published.

BlackMatter is a sophisticated ransomware family. It leverages multithreading and various anti-debugging techniques, which have been detailed in other technical articles already published. However, a serious flaw in the logic of BlackMatter could neutralize the spread of an attack.

This article will focus on a unique way to potentially mitigate the damage of BlackMatter by employing a pre-built behavior that can prevent it from encrypting shares on remote computers.

BlackMatter Victims
Figure 1: BlackMatter wallpaper note.

Remote Share encryption

Reviewing the behavior of BlackMatter reveals that other computers in the same environment are only being encrypted if the built-in configuration enables it. Examining the network activity revealed its actions:

BlackMatter Encryption Process
Figure 2: How BlackMatter discovers and encrypts computers.

First, BlackMatter attempts to retrieve all the computers from the AD:

BlackMatter LDAP Request for Computers
Figure 3: LDAP request for computers.

It is worth noting that BlackMatter only requests objects from the built-in ‘Computers’ container, but does not request objects from other OUs. Therefore, an organization that does not have any computer objects in COMPUTERS but in some OU, is safe from that.

After BlackMatter retrieves all computer objects in the domain, then it retrieves attributes of each computer account through LDAP:

BlackMatter LDAP Request for Attributes
Figure 4: LDAP request for attributes of COMP1.
BlackMatter LDAP Request for Attributes Response
Figure 5: LDAP response with attributes.

To enumerate the computers in the Active Directory, BlackMatter uses the standard API functions: ADsOpenObject, AdsBuildEnumerator, ADsEnumerateNext.
This is the loop that enumerates the computers and stores them for further use:

BlackMatter Enumeration
Figure 6: Enumeration of computer accounts.

Note: We see here that ADsEnumerateNext is being called for each iteration of the loop. The loop breaks if one of the following occurs:

  • ADsEnumerateNext fails
  • 0 elements returned from ADsEnumerateNext
  • It could not get the “dNSHostName” attribute.

The interesting thing here is that BlackMatter breaks the iteration if the attribute “dNSHostName” is not set.

Next, BlackMatter tries to map what shares each computer has, using the NetShareEnum function (from Netapi32.dll), which creates a NetShareEnumAll request over RPC.

BlackMatter Enumeration Request
Figure 7: NetShareEnumAll request from BlackMatter to a potential victim for remote share encryption.

Here is an example of the shares returned:

BlackMatter NetShareEnumAll Response
Figure 8: NetShareEnumAll response with the available shares’ information.

Then, BlackMatter tries to access the shares via SMB (in fact, it ignores C$ and admin$) and encrypts the files.

BlackMatter ignores certain shares
Figure 9: BlackMatters ignores shares that are neither of type STYPE_DISKTREE or STYPE_SPECIAL and that are neither “admin$” nor “C$”.
Figure 10: BlackMatter accesses the “secrets” share and encrypts its data.

About LDAP Controls

From ldapwiki.com:
“An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed. If it is included in the response message, it can be used to provide additional information about the way the operation was processed.”

For example, sending the control LDAP_SERVER_SORT_OID will make the server return the results sorted. In our case, the functionality of BlackMatter uses the control LDAP_PAGED_RESULT_OID_STRING, which does not guarantee the order of results. Nevertheless, in our lab, the LDAP server in the Active Directory returned the computer names sorted alphanumerically (case insensitive) for every request, including for a large number of computer accounts.

BlackMatter LDAP Control
Figure 11: The control used in the LDAP query for computers. This control does not guarantee sorted results.

How can this be used to prevent BlackMatter from encrypting shares on remote computers?

As mentioned above, BlackMatter won’t keep harvesting computer names once it encounters a computer object that lacks the “dNSHostName” attribute. Hence, if it retrieves a computer account that lacks the “dNSHostName” attribute first, then it will not attempt to retrieve the information about the rest of the computers, so it will not try to encrypt these remote computers’ exposed shares.

As explained above, the order of the results for enumeration using ADsBuildEnumerator and ADsEnumerateNext is not guaranteed, although in our labs we saw only alphabetically sorted results.

The key idea to prevent BlackMatter from encrypting remote available shares is to create a computer account that lacks the “dNSHostName” attribute and that will appear first alphabetically. An example of this name could be “aaa-comp.”

Example:

Figure 12: A computer that is first alphabetically among the computers accounts in the domain.

This account attributes:

Figure 13: Attribute dNSHostName is not set.

Consequently, executing BlackMatter on a victim workstation in this AD environment will result in an encrypted computer but will prevent BlackMatter from remotely encrypting accessible file shares.

Furthermore, it should be noted again that if your computer accounts are not under COMPUTERS, but some other OU or container, these computers are also safe from remote share encryption.

UPDATE: January 27, 2022: In order to understand where this logic flaw originated, we tested additional samples in our environment: a sample of REvil and a sample of DarkSide:

  • The sample of DarkSide we tested has the same functionality described above as BlackMatter and has the same logic flaw that BlackMatter has.
  • The sample of REvil we tested does not include the functionality of remotely encrypting public shares (only if these are mapped as a network drive to the victim).

REvil Sha256:
D55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

DarkSide Sha256:
0a0c225f0e5ee941a79f2b7701f1285e4975a2859eb4d025d96d9e366e81abb9

References:
https://ldapwiki.com/wiki/SupportedControl
https://docs.microsoft.com/en-us/previous-versions/windows/desktop/dsml/ldap-controls-and-session-support
https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/

Sample analyzed:
Sha256: 22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6