Emsisoft has been secretly decrypting BlackMatter ransomware victims since the summer thanks to a vulnerability that allows the company to create a descryptor that recover victim’s files without paying a ransom.

Although Emsisoft alerted law enforcement agencies, ransomware negotiation companies, incident response companies, CERTS worldwide, and trusted partners regarding the decryptors, the company refused to make them public to prevent ransomware gangs from fixing the bugs.

Therefore, working quietly with Emsisoft enabled these trusted parties to refer BlackMatter victims to the company to recover their files instead of paying ransom. Apart from referring Emsisoft to victims, Emsisoft also contacted victims who were found through BlackMatter samples and publicly uploaded ransom notes on various websites.

BlackMatter became suspicious and angry with ransomware negotiators, because the victims refused to pay ransom. Later, the gang learned about the decryptor at the end of September and was then able to fix the bugs, which enabled Emsisoft to decrypt the files of the victims. However, victims, who were encrypted before the end of September, can still access Emsisoft via their Ransomware Recovery Service.