Security researchers reverse engineer the infamous ransomware strain and discover a way to stymie its file encryption process, even if it reaches a corporate network
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
Security researchers have discovered a flaw in the logic driving the Backmatter ransomware family that allows businesses to stop the program from encrypting remote shared folders on an organization’s network.
Colonial Pipeline CEO confirms $4.4 million payment to Darkside hackers The scariest security horror stories of 2021BlackMatter ransomware victims reclaim data using secret decrypt or
The findings mean businesses are able to deploy a relatively simple mitigation to protect themselves against a key attack vector in one of the most successful ransomware strains of the past few years.
Despite the ransomware family being highly sophisticated and deploying many anti-debugging techniques, the mitigation can help prevent Backmatter from searching for other computers in the active directory (AD), according to researchers at Illusive.
By creating a ‘dummy’ computer account in the AD, and setting the ‘dens Host Name’ attribute to “not set”, Backmatter will stop searching the AD for other computers to encrypt once it stumbles upon the fake account.
On January 7, 2022, cybersecurity experts highlighted a simple Active Directory (AD) configuration tweak that could significantly reduce the risk of Black Matter ransomware attacks. Black Matter, a ransomware strain associated with cybercriminal groups, had been a major threat to organizations.
The recommended tweak involved adjusting the permissions within Active Directory to limit access to sensitive accounts and resources. By enforcing stricter access controls, organizations could minimize the chances of attackers exploiting vulnerabilities within the AD environment.
Key points from the article included:
- Restricting Access: Limiting who can log in with administrative privileges and ensuring that only essential personnel have access to critical accounts.
- Regular Audits: Conducting regular audits of AD permissions to identify and rectify any unnecessary access.
- Monitoring and Alerts: Setting up monitoring for unusual login attempts or changes to account permissions, allowing for quicker responses to potential breaches.
- User Education: Training staff on the importance of security practices, such as recognizing phishing attempts, which are often the entry points for ransomware attacks.
Implementing these strategies was seen as a proactive measure to bolster defenses against ransomware threats like Black Matter. Organizations were encouraged to prioritize these adjustments as part of their cybersecurity strategies.