Emsisoft has been secretly decoding the encrypted files of BlackMatter ransomware victims. The company has been able to save millions of victims from losing their money in paying ransoms.
Emsisoft has been helping ransomware victims recover their files since 2012. The company found flaws in ransomware’s encryption algorithms that allowed it to develop decryptors. To prevent ransomware hackers from fixing these security issues, Emsisoft worked secretly with law enforcement, ransomware negotiations firms, incident response firms, CERTS worldwide, and other critical partners who shared the news about these fixes with the victims.
These trusted parties referred BlackMatter victims to Emsisoft to recover their files and avoid paying a ransom.
“Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands,” explains Wosar in a blog post.
Besides referrals, Emsisoft was also publicly contacting victims it found through BlackMatter samples and ransom notes. However, BlackMatter soon locked down their negotiation site, and only the victims could gain access. This made it impossible for researchers to find victims directly.
Unfortunately, at the end of September, BlackMatter has also learned about the decryptor and fixed the holes in its ransomware which allowed Emsisoft to decrypt files.
“One of the ways BlackMatter may have become aware of the existence of the flaw is by monitoring networks and company communications post breach. It is why we always recommend victims to switch to a secure communications channel, like a dedicated Signal group for example, as well as ensure none of the compromised network is involved in the general recovery processes,” Wosar told BleepingComputer.
After the bug was fixed, victims could no longer be helped, but Emsisoft suggests reaching out to them to see if they have anything new to learn.
Emsisoft has also discovered bugs in several new and active ransomware operations that can be used to recover encrypted data without a ransom.
Emsisoft encourages victims to contact law enforcers to report attacks, which can collect valuable indicators of a compromise and refer them to Emsisoft, if a decryptor is available.