Blackmatter Ransomware Decryption Tool Found Due to Coding Bug

Emsisoft Aids BlackMatter Victims, Potentially Ending Ransomware Operation

A New Zealand-based cybersecurity firm, Emsisoft, has been discreetly assisting those affected by the BlackMatter ransomware, enabling the recovery of their encrypted files. This intervention has reportedly prevented the payment of “tens of millions of dollars” in ransom demands and may ultimately lead to the cessation of BlackMatter’s operations.

BlackMatter's Emergence and Targets

BlackMatter surfaced in July as a successor to the DarkSide ransomware group, infamous for the attack on the Colonial Pipeline. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning concerning BlackMatter due to a series of attacks. These attacks specifically targeted organizations within critical infrastructure sectors, including two entities in the U.S. food and agriculture industry.

The ransomware-as-a-service operation was also implicated in a recent breach at Olympus, compelling the Japanese technology corporation to temporarily suspend operations across its EMEA region.

Discovery of a Critical Vulnerability

Earlier this year, Emsisoft identified a significant flaw within BlackMatter’s encryption process. Similar to a weakness found in DarkSide’s encryption, this vulnerability allowed for the recovery of encrypted files without the necessity of ransom payment.

The company deliberately withheld disclosure of this flaw, anticipating that the BlackMatter group would promptly implement a corrective patch.

Decryption Capabilities and Collaborative Effort

“Recognizing DarkSide’s previous shortcomings, we were surprised when BlackMatter introduced a modification to their ransomware payload that once again enabled us to restore victims’ data without requiring a ransom,” explained Fabian Wosar, Emsisoft’s CTO, in a blog post.

Upon discovering the vulnerability, Emsisoft proactively informed law enforcement agencies, ransomware negotiation firms, incident response teams, national Computer Emergency Readiness Teams (CERTs), and trusted partners about its decryption capabilities.

This facilitated the referral of BlackMatter victims to Emsisoft for file recovery, rather than succumbing to ransom demands.

Impact and Reach of the Recovery Effort

“Subsequently, we have been actively assisting BlackMatter victims in recovering their data,” Wosar stated. “Through collaboration with law enforcement, CERTs, and private sector partners across multiple countries, we have reached numerous victims, helping them avoid substantial ransom demands totaling tens of millions of dollars.”

Emsisoft also proactively contacted victims identified through publicly available BlackMatter samples and ransom notes.

BlackMatter's Response and Limited Intelligence Gathering

Initially, publicly leaked ransom notes allowed external parties to interact with the threat actors as if they were legitimate victims. However, BlackMatter subsequently secured its site, significantly hindering intelligence gathering efforts by law enforcement and security researchers.

Ongoing Support and Potential Demise

Emsisoft continues to offer assistance to BlackMatter victims who were encrypted prior to the end of September. Brett Callow, a threat analyst at Emsisoft, suggests that this decryption campaign may signify the end for BlackMatter.

“This could very well mark the end of the BlackMatter brand,” Callow commented. “This is the second instance where their errors have resulted in financial losses for their affiliates, and they are unlikely to be pleased about that. However, even if the brand disappears, the operators will likely resurface under a new guise.”

The Importance of Public-Private Collaboration

“Historically, the risk-reward ratio heavily favored the ‘reward’ side. This operation demonstrates how public-private sector collaboration can shift that balance, which is a crucial element in combating the ransomware problem. The less profitable it becomes, the less motivation the threat actors will have,” Callow explained to TechCrunch.

Further Vulnerabilities and Recommendations

Emsisoft reports identifying vulnerabilities in approximately a dozen currently active ransomware operations. The company recommends that victims of ransomware attacks report incidents to law enforcement, enabling the collection of valuable indicators of compromise for investigative purposes and potential referral to Emsisoft if a decryption tool is available.