BlackMatter ransomware victims quietly helped using a secret decryptor

Cyber ​​security firm Emsisoft has been secretly decrypting BlackMatter ransomware victims since this summer, saving them millions of dollars.

Emsisoft and its CTO Fabian Wosar have been helping ransomware victims recover their files since 2012 when an operation called ACCDFISA was launched as the first modern ransomware. Since then, Wosar and others have worked tirelessly to find loopholes in the ransomware encryption algorithms that create decryptors.

However, to prevent ransomware gangs from fixing these flaws, Emsisoft is quietly working with trusted law enforcement and incident response partners to share the news of these crackers rather than making them available to the public.

A secret BlackMatter decryptor

Shortly after initiating the BlackMatter ransomware operation, Emsisoft discovered a loophole that allowed them to create a decryptor to recover victims’ files without paying the ransom.

Emsisoft immediately alerted law enforcement, ransomware trading companies, incident response companies, CERTS worldwide, and trusted partners with information about the decryptor. This allowed these trusted parties to refer BlackMatter victims to Emsisoft to recover their files rather than pay a ransom.

Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement, CERTs, and private sector partners in several countries, we have been able to reach many victims, helping them avoid tens of millions of dollars in claims, ”Wosar explains in an article. the blog post about the BlackMatter decryptor.

Besides referrals, Emsisoft also contacted victims found via BlackMatter samples and publicly uploaded ransom notes on various sites. when a BlackMatter sample becomes public, it is possible to extract the ransom note and access negotiations between the victim and the ransomware gang. After identifying the victim, Emsisoft contacted her privately about the decryptor so that she did not have to pay the ransom.

If Emsisoft could find the samples and notes of the ransomware, other people could also use them to hijack trading talks or share images of the discussions on Twitter. This ultimately led to BlackMatter locking down their negotiation site so that only the victims could gain access, making it impossible for researchers to find victims this way.

 “We have been fighting ransomware for more than ten years, so we understand the frustration the infosec community feels towards ransomware threat actors better than anyone,” shared Wosar. However, as cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform and locking us and everyone else out in the process As victims began to refuse to pay, BlackMatter grew increasingly suspicious and angry of ransomware negotiators. A stakeholder and negotiator told BleepingComputer that they started receiving death threats from BlackMatter after none of the victims of an attack paid a ransom.

All good things come to an end

Unfortunately, BlackMatter learned of the decryptor at the end of September and was able to fix bugs that allowed Emsisoft to decrypt victims’ files. One of the ways BlackMatter may have become aware of the existence of the vulnerability is by monitoring corporate networks and communications after the breach. This is why we always recommend that victims switch to secure communication, such as a dedicated Signal group for example, as well as ensuring that no compromised network is involved in general recovery processes, ”Wosar told BleepingComputer.

For victims who were encrypted before the end of September, Emsisoft can still help them through their ransomware recovery service. Wosar told us they were trying to handle as many cases for free, with home users, nonprofits, and victims of businesses involved in the global pandemic response receiving free support. Victims encrypted by BlackMatter after the bug fix can no longer be helped, but Emsisoft suggests that you always contact them to see if there is anything they can learn from the new samples. Emsisoft has also discovered vulnerabilities in around a dozen active ransomware operations, which can be used to recover victims’ encrypted data without ransom payment.

Emsisoft advises victims to contact law enforcement to report attacks, who can collect valuable indicators of compromise for investigation and direct victims to Emsisoft if a decryptor is available.

DarkSide: The precursor to BlackMatter

BlackMatter went into action this summer shortly after another notorious ransomware gang known as DarkSide shut down operations. The DarkSide Gang was a highly technical ransomware operation launched in August 2020 and known for numerous attacks against organizations around the world.