Ransomware Group’s Mistake Cost Millions...

You can also watch this video on LBRY

  • Emsisoft discovered flaw in BlackMatter ransomware payload
  • For months, Victims' ransomed files were secretly decrypted
  • Trolling campaign helped derail law enforcement's intelligence gathering

Who is BlackMatter?

Blackmatter is thought to be a rebranded version of the Darkside ransomware gang. Darkside was responsible for the Colonial Pipeline hack earlier this year, knocking out one of America's major pipelines, causing fuel shortages.

After the Colonia hack Darkside disappeared, only to reboot themselves several months later as 'BlackMatter'. In the past few days the FBI has put a $10,000,000 bounty on any information leading to the arrest of Darkside members, presumably Blackmatter also falls under this bounty.

The Vulnerability

Emsisoft discovered what they describe as a “critical flaw in the BlackMatter” ransomware payload. And assisted "victims [in recovering] their files without paying a ransom".

Emsisoft doesn't provide any insights on what the vulnerability was. And whilst it was eventually patched by BlackMatter, the gang made a similar coding error - opening up a new vulnerability. Emsisoft say they've helped victims avoid paying tens of millions of dollars in ransom fees.

Trolling Blackmatter

Emsisoft describes a major thorn in their side which helped derail intelligence gathering stemmed from a leaked ransom note. Ransom notes typically include a link to a dark web site, where the victim can communicate with the ransomware gang, negotiating a payment. Given this link was leaked, the stage was opened up for anyone to join the chat and talk to BlackMatter themselves.

And so the trolling commenced...

Emsisoft laments:

As cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone else out in the process. Unfortunately, that meant one of the most valuable tools we had to reach victims disappeared literally overnight, leading to missed victims who may have unnecessarily paid ransoms.

The vulnerability used to decrypt victims' files was eventually patched by BlackMatter a few weeks ago.

UDPATE: BlackMatter is reportedly shutting down (again)