Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal

Or so says infsec outfit Emsisoft

Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.

Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.

Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.

"As cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone else out in the process," sighed Emsisoft CTO Fabian Wosar in a blog post. "Unfortunately, that meant one of the most valuable tools we had to reach victims disappeared literally overnight, leading to missed victims who may have unnecessarily paid ransoms."

Ransomware gangs use media and social media coverage as a tool to help them pressurise their victims into paying up, reserving mocking publicity and document dumps for those who refuse to bow to the extortionists' demands. Their public image among targets appears to be important to that subset of the criminal underworld.

Something else that has troubled Emsisoft, when it comes to ransomware publicity, is decryptors. The problem is simple: if it becomes public knowledge that there is an exploitable flaw in a ransomware strain that lets victims decrypt their networks without paying a ransom, that alerts the criminals, who then fix the flaw and continue profitably targeting other victims. Such a flaw existed in Blackmatter (aka DarkSide)'s ransomware, allowing (so Wosar blogged) Emsisoft to quietly decrypt victims' files.

However, although the flaw was spotted in December 2020, DarkSide patched it on 12 January 2021 – one day after infosec firm Bitdefender released a free decryptor, having discovered the same flaw.

It appears, however, that after DarkSide's resurrection as BlackMatter, a very similar technical mistake was made by its developers, at least according to Emsisoft: "We were surprised when BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims' data without the need for a ransom to be paid."

BlackMatter is still active and is targeting agricultural organisations in the US, according to the US CISA infosec agency. Meanwhile, their fellow crooks REvil vanished offline last week amid US boasts that it along with "like-minded countries" had successfully landed a knockout blow against the gang. Britain's GCHQ and Ministry of Defence (representing the National Cyber Force state-sponsored hacking crew) both declined to say if they were involved.

Ransomware is regarded as the number one threat to UK organisations by the National Cyber Security Centre, with chief exec Lindy Cameron having repeated this warning throughout the year. ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021