Getty Images/iStockphoto

Emsisoft cracked BlackMatter ransomware, recovered victims' data

Emsisoft developed a decryptor for BlackMatter and also found vulnerabilities in about a dozen other ransomware families that can be used to recover victims' data.

Emsisoft revealed that it's been privately assisting victims of BlackMatter ransomware recover their files without paying a ransom.

In a blog post Sunday, the security vendor detailed how researchers earlier this year discovered a critical flaw in the ransomware variant that allowed them to decrypt victims' data without paying threat actors. However, help was cut short several weeks ago when the operators behind the variant updated the flaw.

BlackMatter shares similarities with the DarkSide ransomware gang, which is known for a slew of attacks such as the one against the Colonial Pipeline Company that caused a gas panic on the East Coast. The Colonial Pipeline Company gave into the $4.4 million demand, but the FBI seized a portion of it back using a bitcoin private key. 

In October, the growing BlackMatter ransomware threat led to a joint advisory by the FBI and the National Security Agency. The advisory warned that the ransomware group posed a danger to U.S.-based organizations, particularly ones in critical infrastructure. Rumors of an association between DarkSide and BlackMatter began.

Through payload analysis from July 31, Emsisoft confirmed the connection between BlackMatter and DarkSide.

"The very first BlackMatter version turned out to be almost identical to the last DarkSide version, with the only difference being minor incremental improvements," the blog post said.

Similarly to DarkSide, operators behind BlackMatter introduced a change to their ransomware payload that allowed Emsisoft to develop a decryptor and recover victims' data without paying cybercriminals.

"As soon as we became aware of the gang's error, we quietly reached out to our partners, who then assisted us in reaching as many victims as possible before they paid BlackMatter's ransom," the blog post said.

The vendor kept its decryptor quiet because publicly disclosing the flaw would alert threat actors who would in turn fix it. Emsisoft found discretion to be vital in the case of the BlackMatter ransomware gang, which it described as "technically sophisticated." Without public disclosure, they still found a way to interface with victims.

Emsisoft threat analyst Brett Callow said that in cases such as this, the company gets word to victims by working with a network of trusted third parties, including law enforcement agencies, various regional CERTs and other public and private sector organizations. Callow said it's hard to say whether Emsisoft received more or less victims than expected, but they knew there would be a significant amount.

Victims of BlackMatter ransomware attacks are not the only ones Emsisoft can offer help. According to the blog, the vendor has identified vulnerabilities in about a dozen active ransomware families.

"In these cases, we can recover the vast majority of victims' encrypted data without a ransom payment," the blog post said. "As with BlackMatter, we aren't making the list of families public until the vulnerability has been found and fixed by their respective operators."

The time it takes for a ransomware gang to find out it has an exploitable vulnerability varies. According to Callow, it can range from hours to months. In some cases, he said, buggy ransomware may continue to be used for years.

"For example, some ransomware kits are sold for a one-time fee and the actors which use these kits do not necessarily update them," Callow said in an email to SearchSecurity.

While the critical flaw in BlackMatter has been fixed, Emsisoft said that doesn't mean its work is done. There are still victims who were not contacted.

"We are now urging these victims to reach out to us, as we can likely help them recover the data without paying the criminals," the blog post said.

Dig Deeper on Threats and vulnerabilities