Earlier this year, Emsisoft researchers discovered a critical flaw in the BlackMatter ransomware that allowed them to help victims recover their files without paying a ransom preventing millions of dollars falling into the hands of cybercriminals. The work has been conducted quietly and privately so as not to alert the BlackMatter operators to the flaw. For the reasons discussed below, we believe it is now safe to share the story without jeopardizing the operation.
On July 21, 2021, the user account “BlackMatter” posted a new message on a known underground forum.The advertiser was seeking for somebody who could help them gain access to corporate networks of companies with annual revenues of more than $100 million. The different components of a ransomware-as-a-service operation are frequently outsourced to other, more specialised groups or people, which is a standard practise for ransomware-as-a-service operations. The BlackMatter user in question was looking for initial access providers and brokers in this circumstance.
Emsisoft, a cybersecurity firm, has provided a free decryption solution for BlackMatter ransomware victims. The researchers discovered a flaw in the BlackMatter ransomware’s encryption method that allowed them to retrieve encrypted information for free. Emsisoft kept the issue hidden for a long time in order to prevent the ransomware organisation from fixing their malware’s code.
Operators of the BlackMatter ransomware have stated that they will not target healthcare organisations, essential infrastructure, military industrial organisations or non-profit organisations. The gang used a Linux encryptor to target VMware’s ESXi virtual machine platform in August.
BlackMatter operators have already targeted a number of US-based companies demanding ransom payments in Bitcoin and Monero ranging from $80,000 to $15,000,000.
CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
- Implement Detection Signatures;
- Use Strong Passwords;
- Implement Multi-Factor Authentication;
- Patch and Update Systems;
- Limit Access to Resources over the Network;
- Implement Network Segmentation and Traversal Monitoring;
- Use Admin Disabling Tools to Support Identity and Privileged Access Management;
- Implement and Enforce Backup and Restoration Policies and Procedures.
BlackMatter connects the Active Directory (AD) using embedded, previously compromised credentials using the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocols to discover all hosts on the network. As hosts and shared drives are discovered, BlackMatter encrypts them remotely.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have released an alert outlining the BlackMatter ransomware’s operations and defence advice. The notice also includes signatures that network defenders can use to detect network activity.
Last but not least, all law enforcement agencies, public institutions, and CERTs, as well as all insurance and digital forensic and incident response providers, are invited to attend. To reach and help more people, we are constantly increasing our capabilities and network. Please don’t hesitate to contact us if you’re interested in learning more about what we can do for you, your clients, or even your citizens.
- Emsisoft concluded that , “Beyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families. In these cases, we can recover the vast majority of victims’ encrypted data without a ransom payment. As with BlackMatter, we aren’t making the list of families public until the vulnerability has been found and fixed by their respective operators. This is why we encourage victims to report incidents to law enforcement, as they may be able to direct them to us or other companies that can help.”