Security researchers claim to have saved BlackMatter ransomware victims millions over the past few months after exploiting a bug they found in the malware to recover files for free.
Emsisoft CTO, Fabian Wosar, explained in a blog post yesterday that the security vendor has been building decryption tools and services to help speedy recovery from ransomware for a decade.
One of its most fruitful efforts is to search for vulnerabilities in the code of ransomware variants and exploit them for the benefit of customers. However, for this scheme to work without alerting the ransomware developers, it must happen covertly.
"Publicly disclosing the existence of a flaw in ransomware can alert the threat actors to its existence, resulting in them immediately fixing the problem. Consequently, in the case of gangs that we believe to be technically sophisticated — such as DarkSide/BlackMatter — we do not publicly announce or disclose the existence of vulnerabilities,” said Wosar.
“Instead, we communicate our decryption capabilities in private via a network of law enforcement agencies and trusted parties. In our opinion, this approach enables us to help as many victims for as long as possible. Additionally, it creates an incentive for victims to report ransomware incidents to local authorities as they may, in return, be able to provide crucial intelligence from third parties such as us which avoids the need for ransom demands to be paid.”
This is what happened with BlackMatter, a mistake that reportedly cost the group tens of millions of dollars over several months.
Unfortunately, the group eventually realized what had happened and remediated the bug several weeks ago.
That said, Wosar urged BlackMatter victims to get in touch as Emsisoft may still help them. It has also identified flaws in around a dozen ransomware variants, saving victim organizations significant time, money and blushes.
The US authorities also released a new alert on BlackMatter last week, detailing recommendations for mitigating the threat.