Coding Mistake Results in Million Dollar Loss for BlackMatter

In a recent article published by Emisoft, it was revealed how researchers discovered a bug in the BlackMatter ransomware’s code.  This bug was exploited by researchers to create decryption keys that were secretly handed out to victims of the ransomware gang, potentially losing the gang millions of dollars worth of ransom payments.

DarkSide, the threat group strongly believed to be behind BlackMatter and previously behind the DarkSide ransomware, was initially best known for committing other financially motivated cybercrimes, seeing the profit margins ransomware, and the ransomware-as-a-service business model could unlock they quickly pivoted.

DarkSide had been a major player in the ransomware-as-a-service landscape since August 2020, and generally targeted large private sector organizations that could afford seven-figure ransom demands.

It had been one of the most active groups until early May 2021, when the gang bit off more than it could chew by attacking the largest pipeline system for refined oil products in the US, Colonial Pipeline.

Coding Mistake Results in Million Dollar Loss for BlackMatter

The incident, which caused fuel shortages and forced some airlines to reschedule flights, impacted the daily lives of millions of people on the Eastern seaboard, drawing a large amount of attention from the press. More importantly the ire of the US law enforcement and the government as a whole.

Authorities were quick to act seizing millions of dollars paid by Colonial Pipeline, preventing DarkSide from profiting from their ill-gotten gains. The group went dark but had not given up. Malware developers and leaders of the group quickly began searching for new affiliates that could target and compromise companies with high earnings but not attack critical infrastructure.

This was typically done via posts on underground hacking forums. Then towards the end of July, it appeared that BlackMatter operations went live. Researchers noted,

“One of the most interesting aspects of the BlackMatter leak site is the list of prohibited targets that must not be attacked by any BlackMatter affiliate. The industries on this list very much reflect the industries that the U.S. designates as critical infrastructure – the same industries that got DarkSide into trouble in the first place, and the same industries that U.S. President Joe Biden declared as off-limits to malicious cyber activity in a private meeting with Russian President Vladimir Putin in June 2021. But BlackMatter had and has no intention of adhering to its own rules. Since the leak site was launched, the gang has attacked U.S. critical infrastructure entities including blood testing facilities and organizations in the food and agriculture sector.”

BlackMatter has seen several notable iterations since only going live a few months ago. Version 2 of the ransomware was released onto an unsuspecting public at the time of writing. That being said, despite the several iterations researchers discovered that code was flawed going back to the earliest versions.

For example, on December 12, 2020, Emsisoft researchers noticed a mistake the DarkSide operators had made that allowed us to decrypt the data encrypted by the Windows version of the ransomware without the need for a ransom to be paid. The gang fixed this flaw on January 12, 2021.

Publically disclosing flaws can be a tricky matter as soon as the disclosure is made public the flaw can be remedied making the threat posed by the malware increase tenfold. This is particularly true for technically proficient groups like DarkSide.

For that reason, researchers will not publicly disclose flaws to the public rather they work with law enforcement and victims to nullify the threat and decrypt data without having to pay the ransom for the decryption key.

It is hoped that this method promotes victims reporting incidents to law enforcement, as local authorities and trusted cyber security partners receive vital information and intelligence, while victims may avoid succumbing to attacker demands.

New Version Similar Mistake

Emisoft researchers armed with their previous knowledge again discovered a similar flaw in later iterations of BlackMatter. The flaw again allowed researchers to bypass the need to pay the ransom for a decryption key. Emisoft then went to work helping victims recover their data. It was not going to be as easy as originally thought as researchers noted,

“However, it wasn’t all smooth sailing. One of the biggest challenges we faced during the operation related to social media, and Twitter in particular. During one of the more high-profile BlackMatter incidents in September 2021, the ransom note was leaked. Ransom notes, including BlackMatter’s, contain critical information intended for the victim only, including instructions on how to reach out and communicate with the threat actor. Consequently, anybody who has access to a note can interact with the gang as though they were the victim. The broad Twitter infosec community quickly picked up on the leak, got their hands on the private link intended for the victim only, and started to hijack the negotiations being held on the BlackMatter communication platform. Soon, both the victim and the BlackMatter operators were confronted with an onslaught of insults and trolling behavior. In addition, screenshots of the conversations were taken and circulated within the Twitter community, which caused even more people to join the “fun”, quickly derailing any sort of intelligence gathering by law enforcement and security researchers in the process.”

The subsequent Twitter storm resulted in BlackMatter operators locking down all further communications hampering law enforcement and Emisoft’s efforts to recover victim data. Further, this would have let BlackMatter know that something was wrong either with their codebase or infrastructure that would need to be solved. Following this BlackMatter operators found and corrected the flaw.

As to what exactly the flaws were in both instances only educated guesses can be made. It is unlikely that the exact nature of the flaws will be disclosed lest it prompts other ransomware gangs to harden their codebase to prevent similar exploitation for the benefit of their victims.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal