Euro Security Watch with Mathew J. Schwartz

Critical Infrastructure Security , Cybercrime , Endpoint Security

Memo to Ransomware Victims: Seeking Help May Save You Money

Flaw in DarkSide and BlackMatter Enabled Security Firm to Decrypt Files for Free
Memo to Ransomware Victims: Seeking Help May Save You Money
BlackMatter's dedicated data leak site, where it attempts to name and shame victims into paying a ransom. Experts say the group has broken every one of its so-called rules.

Ransomware-wielding attackers continue to seek victims who will pay them ransoms that can reach tens of millions of dollars. But while ransomware might be today's top cybercrime boogeyman, despite attackers' bravado, they're not infallible.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

The latest demonstration of that fact comes via security experts who have been able to directly contact victims of attacks launched by DarkSide ransomware, which later rebranded as BlackMatter, with this message: We can unlock your files, thanks to a coding flaw.

New Zealand-based security firm Emsisoft says it discovered the first such flaw in the Windows version of DarkSide on Dec. 12, 2020, which persisted until DarkSide issued an update on Jan. 12. That was one day after security firm Bitdefender released a free decryption tool, which the attackers appear to have reverse-engineered to identify what to fix.

For anyone infected during that time, however, Emsisoft said the flaw meant that all crypto-locked files could be decrypted without having to pay attackers a ransom. The company declined to name the specific victims it helped.

Brett Callow, a threat analyst at Emsisoft, tells me its BlackMatter decryptor isn't free, "as it needs to be customized for every victim/system," for which the company charges "modest fees." But he adds that "we'd never leave anybody in the lurch."

DarkSide's Rise

DarkSide malware was first spotted in the wild in August 2020, according to security firm Intel 471. The ransomware-as-a-service operation began publicly seeking to recruit affiliates - to take its malware and infect victims in exchange for a share of any ransom paid - in November 2020. After that, to better attract new affiliates, the developer continued to introduce new features. All was going according to plan, criminally speaking, until May, when an affiliate hit Colonial Pipeline, which distributes 45% of the fuel used along the U.S. East Coast.

News of the attack led to panic buying of gasoline, sparking a political response: The White House announced new initiatives aimed at better combating ransomware and cybercrime, encompassing law enforcement and diplomacy as well as making U.S. businesses' cybersecurity practices more resilient.

Rebranding as BlackMatter

In the wake of the attack, DarkSide disappeared, its brand seemingly burned. By July, BlackMatter had launched. After analyzing the malware, multiple security experts concluded that it was simply the latest version of DarkSide.

Thankfully for some victims, the group's code development track record also continued. After the reappearance, "BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims' data without the need for a ransom to be paid," Fabian Wosar, CTO of Emsisoft, says in a blog post. "As soon as we became aware of the gang's error, we quietly reached out to our partners, who then assisted us in reaching as many victims as possible before they paid BlackMatter's ransom."

Partners that the firm regularly works with to identify victims include not just other security firms, but also law enforcement agencies, the U.S. Cybersecurity and Infrastructure Security Agency and other countries' computer emergency response teams, as well as the free ID Ransomware site and the Bleeping Computer forums, where ransomware victims often go seeking help.

Emsisoft also offers a free assessment for ransomware recovery, where victims can go to see what types of help - including any potential Get Out of Jail Free options - might be available. The firm also offers a paid service in which it will rewrite or streamline the decryption software provided by a ransomware operation, if the victim does choose to pay.

Quietly Decrypting for Free, When Possible

Helping victims to decrypt files for free, when that is possible, gets done on the q.t. As Wosar told me in an interview earlier this year, "We want to fly under the radar, to not alert the threat actors" (see: Alert for Ransomware Attack Victims: Here's How to Respond).

Hence his advice to ransomware victims, which is to always contact law enforcement officials or a reputable firm that handles ransomware incident response, to see what types of free solutions might be available now or in the future.

For an organization that doesn't need to even consider paying a ransom - perhaps because it's mostly able to restore from backups - a free decryptor might get released in the future, in case there was any data it wasn't able to completely restore. Multiple ransomware operations have called it quits, saying they're retiring and releasing free keys for all victims. Or sometimes, police arrest administrators and seize keys that way. More recently, law enforcement agencies also appear to have been more actively attempting to disrupt ransomware operators' infrastructure.

Over the summer, for example, the FBI obtained a master decryptor for the REvil - aka Sodinokibi - ransomware. Later, the key was shared with Bitdefender, allowing it to build and publish a free decryptor for all REvil infections seen prior to the ransomware group's initial disappearance in July. After the group reappeared, multigovernment operation penetrated REvil's infrastructure and helped drive the group offline, Reuters recently reported (see: REvil Revelations: Law Enforcement Behind Disruptions).

Victims who contact law enforcement officials can sometimes get other types of help too. After Colonial Pipeline paid a ransom worth $4.4 million in bitcoins to DarkSide, for example, the FBI was able to recover about $2.3 million worth of the bitcoins.

Ransomware: The Battle Goes On

These aren't the only wins in the battle against ransomware. For years now, security and incident response firms, multiple police forces and others have found new ways to defeat ransomware encryption and build free decryptors. In a well-rehearsed cat-and-mouse game, of course, as soon as such news becomes public, attackers typically tweak their malware to fix the flaws.

In the case of BlackMatter, unfortunately, attackers fixed the flaw being used to decrypt files without paying them, at the end of September. Its attacks have continued, and recently they became the focus of a U.S. government cybersecurity alert. "BlackMatter actors have attacked numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15 million in bitcoin and monero," it warns.

Joint CISA, FBI and National Security Agency cybersecurity alert into BlackMatter

Emsisoft declined to comment on what might have clued BlackMatter in to the flaw in its code. But in an interview with The New York Times, which first reported the story, Wosar advised victims to only ever communicate with security experts and law enforcement using out-of-band communications, such as external email addresses that they do not access from work systems, since the ransomware attackers may still be inside their systems.

But the attacker-free decryptor is a reminder that no software is perfect, and ransomware developers make mistakes too. "Beyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families. In these cases, we can recover the vast majority of victims' encrypted data without a ransom payment," Wosar says.

"As with BlackMatter, we aren't making the list of families public until the vulnerability has been found and fixed by their respective operators," he adds. "This is why we encourage victims to report incidents to law enforcement, as they may be able to direct them to us or other companies that can help."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.