BlackMatter Ransomware victims quietly help and use a secret decryptor.
It saves millions of dollars. Cybersecurity company Emsisoft secretly decrypts them.
Emsisoft and its CTO Fabian Wosar assist ransomware victims in recovering their files. In 2012, Then an operation called ACCDFISA launched as the very first modern ransomware.
Ever since then, Wosar and thousands of others have struggled very hard to research weaknesses in the ransomware. Encryption algorithms produce those decryptors.
But to prevent these ransomware gangs from patching these vulnerabilities. Emsisoft has been silently working with select law enforcement and incident response teams. To inform the world of the existence of these hackers instead of making them public.
A secret BlackMatter decryptor.
Shortly after initiating the BlackMatter ransomware operation. Emsisoft discovered a loophole that allowed them to create a decryptor to recover victims’ files without paying the ransom.
Emsisoft immediately alerted law enforcement, ransomware trading companies, and incident response companies. CERTS worldwide, and trusted partners with information about the decryptor. So The company is one of the firms. that help create a secret system. that enables trusted parties to refer BlackMatter victims to recover their files instead of paying a ransom.
we help BlackMatter victims recover their data.
With the help of law enforcement, CERTs, and private sector partners in several countries. we have been able to reach many victims, helping them avoid tens of millions of dollars in claims. ”Wosar explains in an article. Then the blog post about the BlackMatter decryptor.
Besides referrals, Emsisoft also contacted victims found via BlackMatter samples. and publicly uploaded ransom notes on various sites. when a BlackMatter sample becomes public. Because it is possible to extract the ransom note and access negotiations between the victim and the ransomware gang. After identifying the victim, Emsisoft contacted her privately about the decryptor. So she did not have to pay the ransom.
If Emsisoft could find the samples and notes of the ransomware. So other people could also use them to hijack trading talks or share images of the discussions on Twitter. This finally led to BlackMatter locking down. and their negotiation site. so that victims gain access. Then This makes it impossible for researchers to find victims this way.
“We have fought ransomware for more than ten years. so we understand the frustration of the infosec community. it resulted in BlackMatter locking down their platform. and excluding us and everyone else in the process. BlackMatter become increasingly suspicious and angry with ransomware negotiators. A stakeholder and negotiator told BleepingComputer. that they started receiving death threats from BlackMatter after none of the victims of an attack paid a ransom.
All good things come to an end
Unfortunately, BlackMatter learned of the decryptor at the end of September and was able to fix bugs. that allowed Emsisoft to decrypt victims’ files. One of the ways BlackMatter may have become aware of the existence of the vulnerability is by monitoring corporate networks and communications after the breach. This is why we always recommend that victims switch to secure communication. such as a dedicated Signal group. for example, as well as ensuring that no compromising network is Involving in general recovery processes. “Wosar said in BleepingComputer.
whose data is encrypted before September. Emsisoft still helps them. through their ransomware recovery service Wosar. they are trying to handle cases for free, with home users, and nonprofits. and So victims of businesses involved in the global pandemic response receive free support. Victims encrypted by BlackMatter after the bug fix can no longer be helped, but Emsisoft suggests that you always contact them to see if there is anything they can learn from the new samples. Emsisoft has also discovered vulnerabilities in around a dozen active ransomware operations, which can be used to recover encrypted files from victims without having to pay ransom.
Emsisoft advises victims to contact law enforcement to report attacks. who can collect valuable indicators of compromise for investigation? and direct victims to Emsisoft if a decryptor is available.
DarkSide: The precursor to BlackMatter
BlackMatter went into action this summer shortly after another notorious ransomware gang known as DarkSide shut down operations. The DarkSide Gang is a highly technical ransomware operation. Then the launch in August 2020. and knowing for numerous attacks against organizations around the world.
Leave A Comment