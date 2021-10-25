A coding bug helped researchers build a secret BlackMatter ransomware decryption tool

Carly Page
·3 min read

New Zealand-based cybersecurity company Emsisoft has been quietly helping BlackMatter ransomware victims recover encrypted files, preventing “tens of millions of dollars” in ransom payments and potentially signaling the end of the BlackMatter for good.

BlackMatter, a successor to the DarkSide ransomware operation responsible for the Colonial Pipeline attack, first emerged in July this year and was recently the subject of a CISA warning due to “multiple” attacks targeting organizations deemed critical infrastructure, including two in the U.S. food and agriculture sector. The ransomware as a service operation was also responsible for a recent attack on Olympus, which forced the Japanese tech giant to shut down its EMEA operations.

Emsisoft discovered earlier this year that much like DarkSide, which had a flaw in its encryption mechanism that allowed Emsisoft to decrypt files, BlackMatter’s encryption process also had a vulnerability that allowed it to recover encrypted files without having to pay the ransom. Emsisoft did not reveal the existence of the flaw until now, fearing it would allow the BlackMatter group to immediately roll out a fix.

“Knowing DarkSide’s past mistakes, we were surprised when BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims’ data without the need for a ransom to be paid,” Emsisoft CTO Fabian Wosar said in a blog post.

Once it had discovered the vulnerability, Emsisoft alerted law enforcement, ransomware negotiations firms, incident response firms, national computer emergency readiness teams (CERTs), and trusted partners with information about its decryption capabilities. This allowed these trusted parties to refer BlackMatter victims to Emsisoft to recover their files rather than pay a ransom.

"Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands," Wosar said. Emsisoft also contacted victims found through BlackMatter samples and ransom notes publicly uploaded to various sites.

But Wosar said the ransom notes that were leaked or made publicly available made it possible for anyone to communicate with the threat actors as though they were the victim. BlackMatter later locked down its site, making it far more difficult for law enforcement and security researchers to gather vital intelligence.

Brett Callow, a threat analyst at Emsisoft, said this decryption campaign could be BlackMatter's demise.

“This may well be the end of the BlackMatter brand," he said. This is the second time their errors have cost their affiliates money, and the affiliates will likely not be too pleased about that. Unfortunately, even if the brand does end, the operators will likely return with a new one."

“In the past, the risk/reward ratio was heavily skewed to ‘reward.’ This effort demonstrates the public-private sector collaboration can swing the needle, and that’s a key element to combatting the ransomware problem. The less profitable it is, the less incentive the threat actors have," Callow told TechCrunch.

Emsisoft says it’s also found vulnerabilities in about a dozen active ransomware operations. The company advises victims of ransomware to report attacks to law enforcement, who can collect valuable indicators of compromise for investigative purposes and refer victims to Emsisoft if a decryption tool is available.

CISA, NSA, FBI say BlackMatter ransomware group is targeting the US food industry

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting

Recommended Stories

  • 6 Figures That Should Terrify Shiba Inu Investors

    Despite gaining 5,350,880% in under 15 months, trouble may be brewing for the hottest cryptocurrency.

  • Russia Challenges Biden Again With Broad Cybersurveillance Operation

    SEA ISLAND, Ga. — Russia’s premier intelligence agency has launched another campaign to pierce thousands of U.S. government, corporate and think-tank computer networks, Microsoft officials and cybersecurity experts warned Sunday, only months after President Joe Biden imposed sanctions on Moscow in response to a series of sophisticated spy operations it had conducted around the world. The new effort is “very large, and it is ongoing,” said Tom Burt, one of Microsoft’s top security officers. Gover

  • Thailand to regulate digital platform service businesses

    Thailand's cabinet on Monday approved a draft decree to regulate digital platform service businesses to maintain financial and commercial stability and to prevent damage to the public, a government spokesman said. Such businesses, both in and outside of Thailand, will need to notify the government before operating, spokesman Thanakorn Wangboonkongchana said in a statement. The law will apply to various digital platform services including online marketplaces, social commerce, food delivery, space sharing, ride/car sharing and online search engines, he said.

  • Microsoft Says Russian Hackers Are at It Again. They Are Targeting the Tech Supply Chain.

    A new cyberattack is under way targeting the global tech supply chain, notably cloud services and technology providers, Microsoft (ticker: MSFT) said Sunday. The tech giant said that the group known as Nobelium, which it called a “Russian nation-state actor,” was behind the new disruption, first detected in May. The U.S. and other governments have identified Nobelium as the group that infected some 18,000 customers of software company SolarWinds Corp (SWI) with malware in 2020.

  • Microsoft: Russian-backed hackers targeting cloud services

    Microsoft said Monday the same Russia-backed hackers responsible for the 2020 SolarWinds breach continue to attack the global technology supply chain and have been relentlessly targeting cloud service companies and others since summer. The group, which Microsoft calls Nobelium, has employed a new strategy to piggyback on the direct access that cloud service resellers have to their customers' IT systems, hoping to “more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers."

  • Why Edward Snowden Called GovCoins 'Cryptofascist' Currencies

    The well-known whistleblower is concerned about putting the state at the center of crypto transactions.

  • Robot mail: Russian Post teams up with Yandex to deliver parcels in Moscow

    Self-driving robots have started delivering parcels in certain Moscow neighbourhoods after tech giant Yandex teamed up with the state-run Russian Post service, the companies said on Monday. Yandex, which operates a raft of services from online search to ride-hailing, already uses robots for food delivery in Russia and on some U.S. college campuses in a partnership with GrubHub, but a tie-up with the federal post service could widen their reach. In a joint statement, Yandex and Russian Post said 36 rectangular, suitcase-sized robots would initially deliver from 27 post offices in several districts of the Russian capital as part of a pilot project, with parcel recipients able to select robot delivery using an app.

  • How to Expand Blockchain Beyond Fintech and Into Factories

    Blockchain has already improved companies’ ability to track the movement of goods. It’s now easy to envision a more efficient future in logistics through emerging decentralized technologies that help improve procurement practices and enable businesses to increase transparency about where products were manufactured, how they were delivered and under what conditions. There are potential upsides for businesses, workers and consumers.

  • Grocery chain Tesco suffers two-day outage following hack

    UK grocery chain Tesco has faced outages for two days after hacks, leaving many unable to order food.

  • Russian hackers behind fresh US cyberattack: Microsoft

    The state-backed Russian hacking group that carried out last year's massive SolarWinds cyberattacks is behind a new and ongoing assault against US and European targets, Microsoft said Monday.

  • Harry, yer a [reporting] wizard; Monday’s daily brief

    Plus, how to overcome pretty much any SEO issue and see results Please visit Search Engine Land for the full article.

  • Amazon accidentally makes a case for its own regulation

    Amazon is a cesspool of shoddy products and deception. Regulate it.

  • Google Search Console Search Analytics API gains Discover, News and Regex

    This data and the features were already in the web interface but now they are also available in the API. Please visit Search Engine Land for the full article.

  • 7 best VPN services for streaming securely in 2021

    Whether you’re trying to stay incognito or access international Netflix, we’ve got you covered

  • Ofcom asks phone networks to block foreign scam calls

    UK networks agree to block almost all internet calls from abroad if they pretend to be UK numbers.

  • Juniper (JNPR) to Augment UPC Poland Network Capabilities

    Juniper (JNPR) routing platforms will significantly improve the network capabilities of UPC Poland for more agile service delivery and better customer service while handling an expanding subscriber base.