Cyber security firm Emsisoft has been secretly decrypting BlackMatter ransomware victims since this summer, saving them millions of dollars.
Emsisoft and its CTO Fabien Ousar have been helping ransomware victims recover their files since 2012, when an operation called ACCDFISA was launched as the first modern ransomware.
Since then, Wosar and others have worked tirelessly to find loopholes in the ransomware encryption algorithms that create decryptors.
However, to prevent ransomware gangs from fixing these flaws, Emsisoft is quietly working with trusted law enforcement and incident response partners to share the news of these crackers rather than making them available to the public.
A secret BlackMatter decryptor
Shortly after initiating the BlackMatter ransomware operation, Emsisoft discovered a loophole that allowed them to create a decryptor to recover victim’s files without paying ransom.
Emsisoft immediately alerted law enforcement, ransomware trading companies, incident response companies, CERTS worldwide, and trusted partners with information about the decryptor.
This allowed these trusted parties to refer BlackMatter victims to Emsisoft to recover their files rather than paying a ransom.
“Since then, we have been involved in helping BlackMatter victims recover their data. With the help of law enforcement, CERTs and private sector partners in several countries, we have been able to reach many victims, helping them avoid tens of millions of dollars in claims, ”Wosar explains in an article. blog post on the BlackMatter Decryptor.
Besides referrals, Emsisoft also contacted victims found via BlackMatter samples and publicly uploaded ransom notes on various sites.
When a BlackMatter sample becomes public, it is possible to extract the ransom note and access negotiations between the victim and the ransomware gang. After identifying the victim, Emsisoft contacted her privately about the decryptor so that she did not have to pay the ransom.
If Emsisoft could find the samples and notes of the ransomware, other people could also use them to hijack trading talks or share images of the discussions on Twitter.
This ultimately led BlackMatter to lock down their trading site so that only victims could access it, thus preventing researchers from finding victims.
“We’ve been fighting ransomware for over a decade, so we understand better than anyone the frustration the infosec community has with ransomware threat actors,” Wosar explained.
“However, as cathartic as the cursing may have been felt, it resulted in BlackMatter locking down their platform and locking us and everyone else in the process.”
As victims began to refuse to pay, BlackMatter grew increasingly suspicious and angry of ransomware negotiators.
A stakeholder and negotiator told TechToSee that they started receiving death threats from BlackMatter after none of the victims of an attack paid a ransom.
All good things come to an end
Unfortunately, BlackMatter became aware of the decryptor at the end of September and was able to correct the bugs allowing Emsisoft to decrypt the files of the victims.
“One of the ways BlackMatter may have become aware of the existence of the vulnerability is by monitoring corporate networks and communications after the breach. This is why we always recommend that victims switch to a secure communication, like a dedicated Signal group for example, as well as ensuring that no compromised network is involved in general recovery processes, ”Wosar told TechToSee.
For victims who were encrypted before the end of September, Emsisoft can still help them through their ransomware recovery service.
Wosar told us they were trying to handle as many cases for free, with home users, nonprofits, and victims of businesses involved in the global pandemic response receiving free support.
“Unlike most of the industry, we don’t charge by the hour but operate on a fixed price basis. The exact charges are usually in the 4-digit range, but may depend on the exact circumstances. can’t afford to pay us, we usually waive the charges or come to some other arrangement. Ultimately, the charges are not designed to make us rich. “- Fabien Wosar.
Victims encrypted by BlackMatter after the bug was fixed can no longer be helped, but Emsisoft suggests that you always contact them to see if they can learn anything from newer samples.
Emsisoft has also discovered vulnerabilities in around a dozen active ransomware operations, which can be used to recover victims’ encrypted data without ransom payment.
Emsisoft advises victims to contact law enforcement to report attacks, who can collect valuable indicators of compromise for investigation and direct victims to Emsisoft if a decryptor is available.
DarkSide: the precursor of BlackMatter
BlackMatter went into action this summer shortly after another notorious ransomware gang known as DarkSide shut down operations.
The DarkSide Gang was a highly technical ransomware operation launched in August 2020 and known for numerous attacks against organizations around the world.
However, their attack on Colonial Pipeline, the largest oil pipeline in the United States, drew the full attention of the United States government to the gang. This led to their servers being seized and the US government clawing back $ 4 million from the Colonial Pipeline ransom payment.
Realizing that they bit more than they could chew, DarkSide quickly ended their operation and fled into the shadows.
However, whether it’s out of greed or a need to be in the spotlight, ransomware gangs always tend to come back under new names.
This is the case with DarkSide which returned as BlackMatter in July.
