BlackMatter Decryptor Nullified by Actors’ Fix After Ransomware Note Leaked on Twitter

• A ransomware note from the BlackMatter group tied to its last major attack in September 2021 leaked on Twitter.
• As a result, the actors locked down their platform, cutting researchers off.
• Later, an update that fixed the ransomware flaw discovered by the researchers appeared, nullifying the decryptor that has been saving victims from paying.

A decryptor for the BlackMatter ransomware has been distributed in the last months to the victims in secret, allowing targets to avoid paying the actors. However, after a ransomware note tied to the group's last major attack in September leaked on Twitter and attracted unwanted attention, the crooks decided to lock down their platform and release an update that fixed the flaw and turned the decryptor obsolete.

The leaked ransom note led to a lot of chaos on Twitter, with the victims and BlackMatter subjected to incessant trolling. The social media chaos made the crooks shut down their operations, which, in turn, prevented security researchers and law enforcement from continuing to access the group's platform.

A recent payload change to the group's ransomware allowed infosec researchers to decrypt the hostage data without any ransom paid, so Emsisoft used the flaw for a decryptor that has been secretly shared with attack victims to avoid paying the ransom. However, the Emsisoft decryptor became useless when a few weeks after the leak BlackMatter updated their ransomware, fixing the vulnerability.

The security research team says they found about a dozen other active ransomware families but won't disclose anything until the actors discover and fix the vulnerability on their own. As such, victims are encouraged to announce the law enforcement and reach out to Emsisoft.

The BlackMatter gang, formerly known as DarkSide, has led several ransomware attacks on pivotal US critical infrastructures such as blood testing facilities and food and agriculture organizations.

BlackMatter and its predecessor, DarkSide, have been major ransomware-as-a-service gangs for a long time. Their most popular targets are large private sector organizations from which they have extracted seven-figure ransom demands. One of its latest attacks in early May 2021 ended in a very difficult situation when it attacked the US Colonial Pipeline for which it lost its critical infrastructure when the US attacked in retaliation. This included bitcoin wallets with the $4.4 million ransom paid up by Colonial Pipeline to recover their operations quickly.

While the first of these incidences shed a spotlight on their affiliates, it also led them to shut down their activities and go dark. DarkSide disappeared after the retaliation and re-emerged as BlackMatter with a new leaks website and an underground advertisement calling in hackers with access to large corporate networks.