For several weeks this summer, a cybersecurity firm was able to thwart the BlackMatter ransomware gang by capitalizing on a mistake application developers sometimes make: Leaving a hole open in its code.
New Zealand-based Emsisoft made the revelation Sunday because the gang recently plugged the hole so it was no longer able to help victims.
But for a time, and quietly working with the co-operation of law enforcement agencies, Emsisoft was able to contact companies that had been hit with the strain of ransomware, help them decrypt their data and refuse to pay the crooks.
In its blog, Emsisoft isn’t saying how many companies it was able to assist, nor which countries they were in. But it told the New York Times they included manufacturers, transportation companies and food suppliers across continental Europe, Britain and the United States.
“Beyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families,” Emsisoft said. “In these cases, we can recover the vast majority of victims’ encrypted data without a ransom payment. As with BlackMatter, we aren’t making the list of families public until the vulnerability has been found and fixed by their respective operators. This is why we encourage victims to report incidents to law enforcement, as they may be able to direct them to us or other companies that can help.”
In Canada, an organization should report any cyber security incident by calling their local police department’s general phone number. In the U.S., authorities say if the incident places someone in imminent danger, call local police. Otherwise, file an online complaint with the FBI’s Internet Complaint Centre.
From DarkSide to BlackMatter
The BlackMatter group is a direct descendant of a group called DarkSide, which had been a major player in the ransomware-as-a-service landscape since August 2020. It specialized in going after major businesses that could afford to pay a significant ransom. Like other groups, it copied corporate data before launching malware to encrypt it, then threatened to embarrass the organization by releasing the copied data publicly or to other threat actors unless a ransom was paid for a data decryption key.
But in May, it made a mistake, hitting Colonial Pipeline in the U.S. That caused fuel shortages and drew the attention of American political leaders.
Within days, Emsisoft noted, DarkSide had lost control over some of its critical infrastructure, including bitcoin wallets that contained the $4.4 million ransom Colonial Pipeline had hastily paid in the hopes of quickly getting back to an operational state. Feeling squeezed, DarkSide went dark – until July 21st, when a posting for a group called BlackMatter started advertising on a dark web marketplace looking for crooks who had access to IT networks of companies with more than $100 million in annual revenue.
Interestingly, what BlackMatter specifically said in that post was that it didn’t want to touch critical infrastructure organizations, presumably because hitting those targets would draw the attention of law enforcement. Nevertheless, said Emsisoft, the gang has attacked blood testing facilities and organizations in the food and agriculture sector.
Ten days after the BlackMatter post, Emsisoft was able to get its hands on an actual BlackMatter payload. The very first BlackMatter ransomware version turned out to be almost identical to the last DarkSide version. That was a blessing. Emsisoft had seen a flaw in DarkSide’s code in December 2020. For a month, that allowed it to quietly create and offer victim firms a data decryptor for the Windows version of the ransomware. That lasted until the flaw was fixed on January 12th.
Something similar happened not long after BlackMatter began operating.
“Knowing DarkSide’s past mistakes, we were surprised when BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims’ data without the need for a ransom to be paid,” said Emsisoft. “As soon as we became aware of the gang’s error, we quietly reached out to our [law enforcement, computer emergency response teams (CERTS) and technology] partners, who then assisted us in reaching as many victims as possible before they paid BlackMatter’s ransom.”
However, in September the BlackMatter ransom note was leaked, which included instructions on how to reach out and communicate with the threat actor. Word spread and soon people began abusing the crooks on Twitter. BlackMatter shut its communications portal, which derailed any intelligence gathering by law enforcement and other security researchers.
Then BlackMatter released an update to its code, which fixed the flaw Emsisoft and others were relying on.
One lesson from this is that security researchers and law enforcement aren’t powerless against ransomware gangs. But victim organizations have to report incidents of ransomware — and any other cyber attack — so experts can look at the code to find flaws.
The first stop for infosec teams trying to decrypt data on their own is the website of the No More Ransom project, an initiative launched by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee. Many other tech companies and law enforcement bodies have since joined.
Organizations can upload an encrypted file for scanning, or upload the ransom note. The project has decryptors for over 100 strains of ransomware. However, these are only one-size-fits-all tools. Decryptors that need to be customized for every victim aren’t available from No More Ransom.
The No More Ransom project offers this advice for organizations on how to avoid being hit by ransomware.
The Canadian Centre for Cyber Security offers this advice for preventing and recovering from ransomware attacks.