How to Proactively Limit Damage From BlackMatter Ransomware

The BlackMatter ransomware strain that’s been used in numerous attacks against US critical infrastructure entities and other large organizations in recent months has a serious logic flaw in its code that limits the malware’s effectiveness in some situations.

Organizations that can trigger the faulty logic can potentially mitigate the damage that BlackMatter can cause in their environment, Illusive said in a report Friday.

Illusive researchers discovered the flaw when they observed the ransomware failing to encrypt shares of remote computers in the company’s test environment. A closer inspection of the code showed that BlackMatter encrypts other computers in the same network only if the environment is configured in a particular way.

The logic flaw gives organizations a way to prevent BlackMatter from encrypting file shares, says Shahar Zelig, security researcher at Illusive.

“But it is important to note that the compromised device would still be encrypted,” he says. “And if an attacker has compromised multiple devices, it could still run BlackMatter to encrypt all those devices. This logic flaw is specially about remote shares.”

BlackMatter surfaced in July 2021 soon after the DarkSide ransomware-as-a-service operation shut down following an attack on Colonial Pipeline that stirred concern — and reaction — all the way from the White House down. Like DarkSide, BlackMatter is being distributed under a ransomware-as-a-service model. The malware has been used in attacks against at least two organizations belonging to the US food and agriculture sector and several other critical infrastructure targets. Operators of the ransomware have published data belonging to at least 10 large organizations across the US, Canada, UK, India, Brazil, Thailand, and Chile.

Security vendors that have analyzed the malware describe its payload as highly efficient, small (about 80Kb in size), well-obfuscated, and running mostly in memory. An analysis conducted by Varonis showed the operators of BlackMatter typically gain initial access by compromising vulnerable edge devices, including remote desktops and VPNs, or by abusing login credentials obtained from other sources. 

Concerns over BlackMatter prompted…