Preventing BlackMatter Ransomware from Encryption of Available Remote Share
During the last three months of 2021, Illusive researchers have seen BlackMatter ransomware attacks spread throughout the entire world, including hitting huge companies. CISA published an alert about BlackMatter and many detailed technical reports had been published.
BlackMatter is a sophisticated ransomware family. It leverages multithreading and various anti-debugging techniques, which have been detailed in other technical articles already published. However, a serious flaw in the logic of BlackMatter could neutralize the spread of an attack.
This article will focus on a unique way to potentially mitigate the damage of BlackMatter by employing a pre-built behavior that can prevent it from encrypting shares on remote computers.
Remote Share encryption
Reviewing the behavior of BlackMatter reveals that other computers in the same environment are only being encrypted if the built-in configuration enables it. Examining the network activity revealed its actions:
First, BlackMatter attempts to retrieve all the computers from the AD:
It is worth noting that BlackMatter only requests objects from the built-in ‘Computers’ container, but does not request objects from other OUs. Therefore, an organization that does not have any computer objects in COMPUTERS but in some OU, is safe from that.
After BlackMatter retrieves all computer objects in the domain, then it retrieves attributes of each computer account through LDAP:
To enumerate the computers in the Active Directory, BlackMatter uses the standard API functions: ADsOpenObject, AdsBuildEnumerator, ADsEnumerateNext.
This is the loop that enumerates the computers and stores them for further use:
Note: We see here that ADsEnumerateNext is being called for each iteration of the loop. The loop breaks if one of the following occurs:
- ADsEnumerateNext fails
- 0 elements returned from ADsEnumerateNext
- It could not get the “dNSHostName” attribute.
The interesting thing here is that BlackMatter breaks the iteration if the attribute “dNSHostName” is not set.
Next, BlackMatter tries to map what shares each computer has, using the NetShareEnum function (from Netapi32.dll), which creates a NetShareEnumAll request over RPC.
Here is an example of the shares returned:
Then, BlackMatter tries to access the shares via SMB (in fact, it ignores C$ and admin$) and encrypts the files.
About LDAP Controls
“An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed. If it is included in the response message, it can be used to provide additional information about the way the operation was processed.”
For example, sending the control LDAP_SERVER_SORT_OID will make the server return the results sorted. In our case, the functionality of BlackMatter uses the control LDAP_PAGED_RESULT_OID_STRING, which does not guarantee the order of results. Nevertheless, in our lab, the LDAP server in the Active Directory returned the computer names sorted alphanumerically (case insensitive) for every request, including for a large number of computer accounts.
How can this be used to prevent BlackMatter from encrypting shares on remote computers?
As mentioned above, BlackMatter won’t keep harvesting computer names once it encounters a computer object that lacks the “dNSHostName” attribute. Hence, if it retrieves a computer account that lacks the “dNSHostName” attribute first, then it will not attempt to retrieve the information about the rest of the computers, so it will not try to encrypt these remote computers’ exposed shares.
As explained above, the order of the results for enumeration using ADsBuildEnumerator and ADsEnumerateNext is not guaranteed, although in our labs we saw only alphabetically sorted results.
The key idea to prevent BlackMatter from encrypting remote available shares is to create a computer account that lacks the “dNSHostName” attribute and that will appear first alphabetically. An example of this name could be “aaa-comp.”
This account attributes:
Consequently, executing BlackMatter on a victim workstation in this AD environment will result in an encrypted computer but will prevent BlackMatter from remotely encrypting accessible file shares.
Furthermore, it should be noted again that if your computer accounts are not under COMPUTERS, but some other OU or container, these computers are also safe from remote share encryption.
UPDATE: January 27, 2022: In order to understand where this logic flaw originated, we tested additional samples in our environment: a sample of REvil and a sample of DarkSide:
- The sample of DarkSide we tested has the same functionality described above as BlackMatter and has the same logic flaw that BlackMatter has.
- The sample of REvil we tested does not include the functionality of remotely encrypting public shares (only if these are mapped as a network drive to the victim).