A coding bug helped researchers build a secret BlackMatter ransomware decryption tool

A coding bug helped researchers build a secret BlackMatter ransomware decryption tool

Emsisoft, a cybersecurity firm located in New Zealand, has secretly been assisting BlackMatter ransomware victims in recovering encrypted files, potentially saving “tens of millions of dollars” in ransom payments and indicating the end of BlackMatter for good. BlackMatter, a successor to the DarkSide ransomware operation responsible for the Colonial Pipeline attack, first appeared in July this year and was recently the subject of a CISA warning due to “multiple” attacks targeting critical infrastructure organizations, including two in the United States’ food and agriculture sector. The ransomware as a service operation was also behind a recent attack on Olympus, which prompted the Japanese tech giant’s EMEA operations to shut down.

Emsisoft uncovered earlier this year that, like DarkSide, BlackMatter’s encryption method contained a vulnerability that allowed it to restore encrypted information without paying the ransom. Emsisoft withheld information about the problem until now, believing that it would allow the BlackMatter group quickly patches it. In a blog post, Emsisoft CTO Fabian Wosar said, “Knowing DarkSide’s past blunders, we were shocked when BlackMatter provided a tweak to their ransomware payload that allowed us to once again recover victims’ data without the need for a ransom to be paid.”

Emsisoft shared information on its decryption capabilities with law enforcement, ransomware-negotiating firms, incident response firms, national computer emergency readiness teams (CERTs), and trusted partners after it uncovered the issue. Instead of paying a ransom, these trusted parties could send BlackMatter victims to Emsisoft to retrieve their files.

“Since then, we’ve been busy assisting BlackMatter victims in regaining access to their data.” We were able to reach several victims with the support of law enforcement authorities, CERTs, and private sector partners in multiple countries, saving them tens of millions of dollars in demands,” Wosar added. Emsisoft also contacted victims who had identified using BlackMatter samples and ransom messages that had made public on other websites. However, according to Wosar, the leaked or publicly available ransom notes allowed anyone to connect with the threat actors as if they were the victim. Later, BlackMatter shut down its website, making it far more difficult for law enforcement and security researchers to acquire crucial information.

Emsisoft stated that victims of BlackMatter who encrypted before the end of September can still receive assistance. This decryption campaign, according to Brett Callow, a threat analyst at Emsisoft, could spell the end for BlackMatter. He remarked, “This could be the end of the BlackMatter brand.” This is the second time their mistakes have cost their affiliates money, and the affiliates are not happy about it. Regrettably, even if the brand is discontinued, the operators would very certainly launch a new one.”

“Previously, the risk/reward ratio was significantly skewed in favor of’reward.’ This endeavor highlights how public-private sector partnership can make a difference, which is crucial in combating ransomware. Threat actors will have fewer motives if it is less profitable,” Callow told TechCrunch. Emsisoft claims to have discovered flaws in roughly a dozen operational ransomware operations. Law enforcement agencies can collect useful indicators of compromise for investigative purposes and recommend victims to Emsisoft if a decryption tool is available, according to the business.