fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

BlackMatter Ransomware Victims Quietly Helped Using Secret Decryptor

BlackMatter Ransomware Victims Quietly Helped Using Secret Decryptor

Cybersecurity firm Emsisoft has been secretly decrypting BlackMatter ransomware victims since this summer, saving victims millions of dollars.

Emsisoft and its CTO Fabian Wosar have been helping ransomware victims recover their files since 2012, when an operation called ACCDFISA was launched as the first modern ransomware.

Since then Wosar and others have been working tirelessly to find flaws in ransomware’s encryption algorithms that allow decryptors to be made.

However, to prevent ransomware gangs from fixing these flaws, Emsisoft quietly works with trusted partners in law enforcement and incident response to share the news of these decryptors rather than making them publicly available.

Also Read: Management Training PDF for Effective Managers and Leaders

A secret BlackMatter decryptor

Soon after the BlackMatter ransomware operation launched, Emsisoft discovered a flaw allowing them to create a decryptor recover victim’s files without paying a ransom.

Emsisoft immediately alerted law enforcement, ransomware negotiations firms, incident response firms, CERTS worldwide, and trusted partners with information about the decryptor.

This allowed these trusted parties to refer BlackMatter victims to Emsisoft to recover their files rather than pay a ransom.

“Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands,” explains Wosar in a blog post about the BlackMatter decryptor.

Other than referrals, Emsisoft was also contacting victims found through BlackMatter samples and ransom notes publicly uploaded to various sites.

When a BlackMatter samples becomes public, it was possible to extract the ransom note and gain access to the negotiations between the victim and the ransomware gang. After identifying the victim, Emsisoft would privately contact them about the decryptor so they they did not have to pay the ransom.

If Emsisoft could find the ransomware samples and notes, though, other people could as well and have used them to hijack negotiation chats or shared images of the chats on Twitter.

This ultimately led to BlackMatter locking down their negotiation site so that only the victims could gain access, making it impossible for researchers to find victims this way.

 “We have been fighting ransomware for more than ten years, so we understand the frustration the infosec community feels towards ransomware threat actors better than anyone,” shared Wosar.

“However, as cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone else out in the process.”

Also Read: PDPA Laws And Regulations; A Systematic Guidelines In Singapore

New BlackMatter victim verification system
New BlackMatter victim verification system

 As victims started refusing to pay, BlackMatter grew increasingly suspicious and angry with ransomware negotiators.

One incident responder and negotiator, told BleepingComputer they began receiving death threats from BlackMatter after none of the victims in an attack paid a ransom.

All good things must come to an end

Unfortunately, BlackMatter learned of the decryptor at the end of September and was able to fix the bugs allowing Emsisoft to decrypt victims’ files.

“One of the ways BlackMatter may have become aware of the existence of the flaw is by monitoring networks and company communications post breach. It is why we always recommend victims to switch to a secure communications channel, like a dedicated Signal group for example, as well as ensure none of the compromised network is involved in the general recovery processes,” Wosar told BleepingComputer.

For those victims who were encrypted before the end of September, Emsisoft can still help through their ransomware recovery service.

Wosar told us that they try to handle as many cases for free, with home users, non-profits, and enterprise victims involved in the global pandemic response receiving free support.

“Unlike most of the industry, we don’t charge per hour but operate on a fixed price basis. The exact fee is usually in the mid 4 figures, but may depend on the exact circumstances. If a victim can’t afford to pay us, we generally waive the fee or come to an alternative arrangement. Ultimately, the fee is not designed to make us rich.” – Fabian Wosar.

Victims encrypted by BlackMatter after the bug was fixed can no longer be helped but Emsisoft suggests you still contact them to see if there is anything they can learn from newer samples.

Emsisoft has also found vulnerabilities in approximately a dozen active ransomware operations, which can be used to recover victims’ encrypted data without a ransom payment.

Emsisoft advises victims to contact law enforcement to report attacks, who can collect valuable indicators of compromise for investigative purposes and refer victims to Emsisoft if a decryptor is available

DarkSide: The precursor to BlackMatter

BlackMatter burst into action this summer soon after another notorious ransomware gang known as DarkSide shut down their operation.

The DarkSide gang was a highly technical ransomware operation that launched in August 2020 and was known for numerous attacks against organizations worldwide.

However, their attack on Colonial Pipeline, the largest fuel pipeline in the United States, brought the full attention of the US government to bear on the gang. This led to their servers being seized and the US government recovering $4 million of the Colonial Pipeline ransom payment.

Hacker forum post about seized DarkSide servers and cryptocurrency
Hacker forum post about seized DarkSide servers and cryptocurrency

Realizing that they bit off more than they could chew, DarkSide quickly shut down their operation and fled back into the shadows.

However, whether it’s greed or the need to be under the spotlight, ransomware gangs always tend to come back under new names.

Such is the case with DarkSide who returned as BlackMatter in July.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us