Cybersecurity researchers at Emsisoft have been quietly helping victims of the BlackMatter ransomware attack recover their encrypted files, preventing “tens of millions of dollars” from falling into the hands of the cybercriminals.

The BlackMatter cybercriminal gang first emerged in July of 2021 and was the recent subject of a Cybersecurity and Infrastructure Security Agency (CISA) warning due to multiple attacks that targeted organizations deemed critical infrastructure. BlackMatter was responsible for a recent attack on Olympus, forcing the Japanese tech giant to shut down EMEA operations.

Emsisoft discovered earlier this year a vulnerability in BlackMatter’s encryption process that allowed it to recover encrypted files without having to pay the ransom. Emsisoft kept their discovery quiet until now, so that the cybercriminals wouldn’t know to roll out an immediate fix.

“Knowing DarkSide’s past mistakes, we were surprised when BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims’ data without the need for a ransom to be paid,” Emsisoft CTO Fabian Wosar said.

Once the vulnerability was discovered, Emsisoft alerted law enforcement, ransomware negotiations firms, incident response firms, national computer emergency readiness teams, and trusted partners with information about their decryption capabilities. This allowed for the trusted parties to refer victims back to Emsisoft to recover their files so they can avoid paying a ransom.

“Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands,” Wosar said. Emsisoft also contacted victims through BlackMatter samples and ransom notes publicly uploaded to various sites.

Wosar said that the ransom notes that were leaked or made public allowed for anyone to communication with the threat actors as though they were the victim. BlackMatter eventually locked down the site, making it difficult for law enforcement and researchers to gather critical intelligence.

Emsisoft notes that they can still help BlackMatter victims who were encrypted before the end of September.

“This may well be the end of the BlackMatter brand,” Brett Callow, a Threat Analyst at Emsisoft said. “This is the second time their errors have cost their affiliates money, and the affiliates will likely not be too pleased about that. Unfortunately, even if the brand does end, the operators will likely return with a new one.”

“In the past, the risk/reward ratio was heavily skewed to ‘reward’. This effort demonstrates that public-private sector collaboration can swing the needle, and that’s a key element to combatting the ransomware problem. The less profitable it is, the less incentive the threat actors have,” Callow said.

Emsisoft says it’s also found vulnerabilities in about a dozen other active ransomware operations. Victims of ransomware should report attacks to law enforcement agencies, who can collect valuable information for investigative purposes and refer victims to agencies like Emsisoft to see if a decryption tools are available.

Story via TechCrunch