Community Feature - @fwosar
A Curated Intelligence member - Fabian Wosar - announced the private release of a BlackMatter decryption tool through the work of Emsisoft. Fabian specializes in reverse engineering the encryption implementation utilised by ransomware variants to achieve decryption. Victims can contact Emsisoft to get support if the infection happened before October 2021 to see which options are available to them; the decrypter can recover files locked by the BlackMatter gang between August and late-September 2021.
The blog highlights a strong point about timing the announcement of decrypters: "publicly disclosing the existence of a flaw in ransomware can alert the threat actors to its existence, resulting in them immediately fixing the problem. Consequently, in the case of gangs that we believe to be technically sophisticated – such as DarkSide/BlackMatter – we do not publicly announce or disclose the existence of vulnerabilities. Instead, we communicate our decryption capabilities in private via a network of law enforcement agencies and trusted parties. In [Emsisoft's] opinion, this approach enables us to help as many victims for as long as possible."
- A researcher figures out how to decrypt a ransomware variant
- They inform LEAs, IR firms, negotiators, CERTs, ISACs, or other NGOs
- Using these intelligence sharing avenues, the decryption tool for the ransomware can be passed to victims who can recover their files without paying the ransom
- The ransomware gang loses money they would have got from the victim for the decryption keys
- Eventually, the ransomware gang may realise that a low % of victims are paying ransoms for decryption keys
- If the ransomware gang fixes the issue in the encryption, the decryption tool can be released publicly
Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!