BlackMatter ransomware victims get free decryption key

First detected in July 2021, BlackMatter is ransomware-as-a-service (Raas) tool. It lets the ransomware’s criminals get financial gain from their affiliates (i.e BlackMatter actors) who exploit it against victims. This ransomware group can be a possible rebrand of DarkSide, a RaaS gang that was operating from September 2020 through May 2021. BlackMatter targeted numerous U.S. organizations and demanded ransom payments varying from $80,000 to $15,000,000 in Monero and Bitcoin.

Ransoware group had a flaw in their code

The usual method of work for the ransomware criminals is to encrypt victims data. Then, they demand ransom payments for the data recovery, and optionally – for deleting the leaked data. Sometimes demands can go up to millions of dollars. Providing decryption code for everyone is difficult. But when a cyber security specialist found a critical error in an update of the malicious code they tried to help as many victims as they could. Among those saved are key manufacturers, food suppliers and transportation companies across continental Europe, the United States and Britain.

Decryptor developers tried to keep all information about them away from public. They do so to win more time until the gang got the attention from executive authorities. The decrypter can help those whose files were affected by the gang between mid-July and late-September 2021. Currently, you can send a help request to the Emsisoft team, and they will help you if your case fits the decryptor’s capabilities. At this moment hackers from BlackMatter fixed the flaw in recent versions of their malicious code. A short victory against ransomware that will cost organizations $20 billion losses this year, according to a report from the research firm Cybersecurity Ventures.

New victims of BlackMatter

Just when the decryption key was handed off to victims BlackMatter attacked two American agriculture organizations: Crystal Valley, a Minnesota farming supply cooperative, and NEW Cooperative, an Iowa grain cooperative. Both cooperatives recovered shortly after that. This made a significant drawback for the cyber security specialist to reach out to the victims. After the chat where criminals communicated with those affected began to be vetted off it became harder to find victims.

During the negotiations over the latest attacks by the BlackMatter random people started popping up in chats. That caused a disruption for cybercriminals, and they stopped the chat for a while. Cybersecurity specialists could not enter the chats after that. They used those chats in the hope that somewhere the name of the affected organization would pop up.¹

Recently BlackMatter targeted technology giant Olympus. Japan-based Olympus manufactures digital and optical reprography technology for the life sciences and medical industries. The company’s management said in a short statement that it is “currently investigating a potential cybersecurity incident” affecting its Middle East, European and Africa departments. Since the group appeared in June, cyber security specialists have filed more than 40 ransomware attacks connected to BlackMatter but the total number of victims can be significantly higher.

1. More information on the latest BlackMatter attacks