Decrypter announced for past BlackMatter ransomware victims

Antivirus maker and cybersecurity firm Emsisoft announced today the availability of a free decryption utility for past victims of the BlackMatter ransomware.

  • The utility, named a decrypter, uses a flaw in the ransomware encryption scheme of the BlackMatter ransomware to allow the recovery of encrypted files without paying the ransom demand.
  • The decrypter can recover files locked by the BlackMatter gang between mid-July and late-September 2021.
  • The encryption flaw was fixed in recent versions of the BlackMatter code.
  • Past BlackMatter victims can obtain a copy of the decrypter by reaching out to Emsisoft directly.

The utility was announced earlier today in a blog post by Emsisoft CTO Fabian Wosar, who identified the encryption flaw earlier this summer.

Wosar said Emsisoft had been working in the shadows with government agencies and law enforcement agencies to reach out to past BlackMatter victims and distribute the decrypter via private channels, helping them recover files without paying huge ransom fees.

The Emsisoft CTO said they publicly announced the decrypter today as a way to reach past BlackMatter victims they could not identify and contact in the past.

Wosar said they didn't reveal the existence of this decrypter before in order to avoid the BlackMatter gang patching its code earlier.

The issue of releasing decrypters too early has been a recent talking point in the cybersecurity community, with some researchers advising their fellows to keep encryption bugs secret and help victims via private channels rather than announce decrypters with a PR fanfare.

Launched at the end of July, BlackMatter is a top-tier ransomware-as-a-service (RaaS) operation that works with a limited number of other criminal groups (called "affiliates") to launch attacks against high-profile targets. In an ad posted on underground cybercrime forums, the BlackMatter gang said they were only interested in companies with revenues of $100 million or higher. The group is believed to be the de-facto rebrand of Darkside, the ransomware operation that hit Colonial Pipeline earlier this year, causing massive fuel shortages across the US East Coast and triggering an aggressive political response from US authorities.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.