New Zealand-based cybersecurity firm Emsisoft has been quietly helping victims of the BlackMatter ransomware recover encrypted files, preventing "tens of millions of dollars" of ransom payments and possibly marking the permanent end of the BlackMatter incident. As an upgrade to the DarkSide ransomware used to attack colonial pipelines, BlackMatter first appeared in July.
Recently, CISA specifically issued a warning against the ransomware, saying it had carried out "multiple" attacks against organizations deemed critical infrastructure, including two by the U.S. food and agriculture sector. The ransomware, which operates as a service and was also to blame for the recent attack on Olympus, forced the Japanese tech giant to shut down its emeasil region.
EMSIsoft discovered earlier this year that, like DarkSide, BlackMatter's encryption mechanism has a vulnerability that allows Emsisoft to decrypt files, and BlackMatter's encryption process also has a vulnerability that allows it to recover encrypted files without having to pay a ransom. Emsisoft has only now revealed the existence of the vulnerability because it fears it will cause the BlackMatter Group to roll out a fix immediately.
Fabian Wosar, CTO of Emsisoft, said in a blog post: "Knowing about DarkSide's past mistakes, we were surprised when BlackMatter made modifications to their ransomware payload that allowed us to recover the victim's data again without having to pay the ransom fee."
After the vulnerability was discovered, Emsisoft informed law enforcement, ransomware negotiators, incident response companies, the National Computer Emergency Preparedness Team (CERT), and trusted partners about its decryption capabilities. This allows these trusted parties to recommend BlackMatter victims to Emsisoft to recover their files instead of paying a ransom.
Wosar said: "Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERT and private sector partners in multiple countries, we were able to reach many victims and help them avoid tens of millions of dollars in demands." Emsisoft also contacted victims found through BlackMatter samples and ransom notes publicly uploaded to various websites.