Overview
BlackMatter is a family of ransomware which has claimed some high profile victims in recent months. Security researchers have identified an easy way to stop the ransomware from spreading in an Active Directory (AD) environment.
Businesses may wish to perform the actions below to enhance their security against BlackMatter ransomware.
General guidance on ransomware can be found in our Advice & Guidance section.
Detail
When BlackMatter starts scanning for computers it scans the AD list from the top of the list alphabetically. Due to how the ransomware was programmed, it expects the dNSHostName to possess a value but if it is disabled it stops searching for computers to encrypt.
This mitigation isn’t a silver bullet as other methods such as local file encryption and mapped drive encryption are still possible so it may not prevent encryption on the computers on which it is executed, however, it is still a worthwhile modification to make:
-
Create user account, named as ‘aaa-comp’ (or something similar so it is listed first alphabetically in the AD)
- When creating the account, disable the dNSHostName attribute
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.