A coding bug helped researchers build a secret BlackMatter ransomware decryption tool

New Zealand-based cybersecurity company Emsisoft has been quietly helping BlackMatter ransomware victims recover encrypted files, preventing “tens of millions of dollars” in ransom payments and potentially signaling the end of BlackMatter for good.

BlackMatter, a successor to the DarkSide ransomware operation responsible for the Colonial Pipeline attack, first emerged in July this year and was recently the subject of a CISA warning due to “multiple” attacks targeting organizations deemed critical infrastructure, including two in the U.S. food and agriculture sector. The ransomware as a service operation was also responsible for a recent attack on Olympus, which forced the Japanese tech giant to shut down its EMEA operations.

Emsisoft discovered earlier this year that much like DarkSide, which had a flaw in its encryption mechanism that allowed Emsisoft to decrypt files, BlackMatter’s encryption process also had a vulnerability that allowed it to recover encrypted files without having to pay the ransom. Emsisoft did not reveal the existence of the flaw until now, fearing it would allow the BlackMatter group to immediately roll out a fix.

“Knowing DarkSide’s past mistakes, we were surprised when BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims’ data without the need for a ransom to be paid,” Emsisoft CTO Fabian Wosar said in a blog post.

Once it had discovered the vulnerability, Emsisoft alerted law enforcement, ransomware negotiations firms, incident response firms, national computer emergency readiness teams (CERTs) and trusted partners with information about its decryption capabilities. This allowed these trusted parties to refer BlackMatter victims to Emsisoft to recover their files rather than pay a ransom.

“Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands,” Wosar said. Emsisoft also contacted victims found through BlackMatter samples and ransom notes publicly uploaded to various sites.

But Wosar said the ransom notes that were leaked or made publicly available made it possible for anyone to communicate with the threat actors as though they were the victim. BlackMatter later locked down its site, making it far more difficult for law enforcement and security researchers to gather vital intelligence.

Emsisoft said it can still help BlackMatter victims who were encrypted before the end of September. Brett Callow, a threat analyst at Emsisoft, said this decryption campaign could be BlackMatter’s demise.

“This may well be the end of the BlackMatter brand,” he said. This is the second time their errors have cost their affiliates money, and the affiliates will likely not be too pleased about that. Unfortunately, even if the brand does end, the operators will likely return with a new one.”

“In the past, the risk/reward ratio was heavily skewed to ‘reward.’ This effort demonstrates the public-private sector collaboration can swing the needle, and that’s a key element to combatting the ransomware problem. The less profitable it is, the less incentive the threat actors have,” Callow told TechCrunch.

Emsisoft says it’s also found vulnerabilities in about a dozen active ransomware operations. The company advises victims of ransomware to report attacks to law enforcement, who can collect valuable indicators of compromise for investigative purposes and refer victims to Emsisoft if a decryption tool is available.