Decrypting BlackMatter Ransomware

Community Feature - @fwosar

A Curated Intelligence member - Fabian Wosar - announced the private release of a BlackMatter decryption tool through the work of Emsisoft. Fabian specializes in reverse engineering the encryption implementation utilised by ransomware variants to achieve decryption. Victims can contact Emsisoft to get support if the infection happened before October 2021 to see which options are available to them; the decrypter can recover files locked by the BlackMatter gang between August and late-September 2021.

The blog highlights a strong point about timing the announcement of decrypters: "publicly disclosing the existence of a flaw in ransomware can alert the threat actors to its existence, resulting in them immediately fixing the problem. Consequently, in the case of gangs that we believe to be technically sophisticated – such as DarkSide/BlackMatter – we do not publicly announce or disclose the existence of vulnerabilities. Instead, we communicate our decryption capabilities in private via a network of law enforcement agencies and trusted parties. In [Emsisoft's] opinion, this approach enables us to help as many victims for as long as possible."

This statement from Fabian fits "Scenario #2" of @BushidoToken's recent Ransomware Decryption Intelligence overview:

  • A researcher figures out how to decrypt a ransomware variant
  • They inform LEAs, IR firms, negotiators, CERTs, ISACs, or other NGOs
  • Using these intelligence sharing avenues, the decryption tool for the ransomware can be passed to victims who can recover their files without paying the ransom
  • The ransomware gang loses money they would have got from the victim for the decryption keys
  • Eventually, the ransomware gang may realise that a low % of victims are paying ransoms for decryption keys
  • If the ransomware gang fixes the issue in the encryption, the decryption tool can be released publicly
The world as we know it depends on private sector malware analysts to identify cryptographic flaws of ransomware and then build their own decryption tools to help victims recover. This handful of people in the private sector are who we depend on to build decrypters — for the entire world, including many governments.

This discussion raises a question from some folks in the Curated Intelligence community: are governments investing in ransomware decrypters? If they are, are they optimally helping victims? And if they aren't, should they be?

Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!