Emsisoft created a free decryptor for past victims of the BlackMatter ransomware

Experts from cybersecurity firm Emsisoft announced the availability of a free decryptor for past victims of the BlackMatter ransomware.

Cybersecurity firm Emsisoft has released a free decryption tool for past victims of the BlackMatter ransomware. The researchers found a vulnerability in the encryption process implemented in the BlackMatter ransomware that allowed them to recover encrypted files for free. Emsisoft didn’t reveal the existence of the flaw before to avoid the ransomware group patching the code of their malware.

The decrypter only allows decrypting files encrypted with BlackMatter versions used gang between mid-July and late-September 2021, the most recent version of the ransomware addressed the issue.

“Earlier this year, Emsisoft researchers discovered a critical flaw in the BlackMatter ransomware that allowed them to help victims recover their files without paying a ransom, preventing millions of dollars falling into the hands of cybercriminals. The work has been conducted quietly and privately so as not to alert the BlackMatter operators to the flaw.“ reads the announcement published by Emsisoft.

The company is now urging the victims of the BlackMatter ransomware to contact them to receive support to recover their data without paying the ransom.

The company, with the help of law enforcement agencies, CERTs and private sector partners in multiple countries, is reaching numerous victims to recover their data.

“Beyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families. In these cases, we can recover the vast majority of victims’ encrypted data without a ransom payment. As with BlackMatter, we aren’t making the list of families public until the vulnerability has been found and fixed by their respective operators. This is why we encourage victims to report incidents to law enforcement, as they may be able to direct them to us or other companies that can help.” concludes Emsisoft.

The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.

The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.

BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform. 

BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.

Recently, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.

The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.

CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:

• Implement Detection Signatures;
• Use Strong Passwords;
• Implement Multi-Factor Authentication;
• Patch and Update Systems;
• Limit Access to Resources over the Network;
• Implement Network Segmentation and Traversal Monitoring;
• Use Admin Disabling Tools to Support Identity and Privileged Access Management;
• Implement and Enforce Backup and Restoration Policies and Procedures;

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]