You can also watch this video on LBRY
- Emsisoft discovered flaw in BlackMatter ransomware payload
- For months, Victims' ransomed files were secretly decrypted
- Trolling campaign helped derail law enforcement's intelligence gathering
Who is BlackMatter?
Blackmatter is thought to be a rebranded version of the Darkside ransomware gang. Darkside was responsible for the Colonial Pipeline hack earlier this year, knocking out one of America's major pipelines, causing fuel shortages.
After the Colonia hack Darkside disappeared, only to reboot themselves several months later as 'BlackMatter'. In the past few days the FBI has put a $10,000,000 bounty on any information leading to the arrest of Darkside members, presumably Blackmatter also falls under this bounty.
The Vulnerability
Emsisoft discovered what they describe as a “critical flaw in the BlackMatter” ransomware payload. And assisted "victims [in recovering] their files without paying a ransom".
Emsisoft doesn't provide any insights on what the vulnerability was. And whilst it was eventually patched by BlackMatter, the gang made a similar coding error - opening up a new vulnerability. Emsisoft say they've helped victims avoid paying tens of millions of dollars in ransom fees.
Trolling Blackmatter
Emsisoft describes a major thorn in their side which helped derail intelligence gathering stemmed from a leaked ransom note. Ransom notes typically include a link to a dark web site, where the victim can communicate with the ransomware gang, negotiating a payment. Given this link was leaked, the stage was opened up for anyone to join the chat and talk to BlackMatter themselves.
And so the trolling commenced...
apparently, the #ransomware negotiations chat was hijacked pic.twitter.com/QuNQCTg4bH
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) September 23, 2021
#ransomware negotiations on fire 🔥 pic.twitter.com/4Jhr72oQz7
— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) September 22, 2021
Emsisoft laments:
As cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone else out in the process. Unfortunately, that meant one of the most valuable tools we had to reach victims disappeared literally overnight, leading to missed victims who may have unnecessarily paid ransoms.
The vulnerability used to decrypt victims' files was eventually patched by BlackMatter a few weeks ago.
UDPATE: BlackMatter is reportedly shutting down (again)
BlackMatter ransomware group has announced they're shutting down operations following pressure from local authorities - they state key members are no longer 'available'.
— vx-underground (@vxunderground) November 3, 2021
Image 1. BlackMatter RaaS announcement of operations shutting down
Image 2. Russian translated to English pic.twitter.com/E4RWWAX7Hg
