Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal
Or so says infsec outfit Emsisoft
Hurling online abuse at ransomware gangs may have contributed to a hardline policy of dumping victims' data online, according to counter-ransomware company Emsisoft.
Earlier this month, the Conti ransomware gang declared it would publish victims' data and break off ransom negotiations if anyone other than "respected journalist and researcher personalities" [sic] dared publish snippets of ransomware negotiations, amid a general hardening of attitudes among ransomware gangs.
Typically these conversation snippets make it into the public domain because curious people log into ransomware negotiation portals hosted by the criminals. The BlackMatter (aka DarkSide) gang's portal credentials (detailed in a ransom note) became exposed to the wider world, however, and the resulting wave of furious abuse hurled at the crims prompted them to pull up the virtual drawbridge.
- Ransomware crims saying 'We'll burn your data if you get a negotiator' can't be legally paid off anyway
- Kaseya obtains REvil decryptor, starts sharing it with afflicted customers
- Colonial Pipeline suffers server gremlins, says it's not due to another ransomware infection
- Washington DC police force confirms data breach after ransomware upstart Babuk posts trophies to Tor blog
"As cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone else out in the process," sighed Emsisoft CTO Fabian Wosar in a blog post. "Unfortunately, that meant one of the most valuable tools we had to reach victims disappeared literally overnight, leading to missed victims who may have unnecessarily paid ransoms."
Ransomware gangs use media and social media coverage as a tool to help them pressurise their victims into paying up, reserving mocking publicity and document dumps for those who refuse to bow to the extortionists' demands. Their public image among targets appears to be important to that subset of the criminal underworld.
Something else that has troubled Emsisoft, when it comes to ransomware publicity, is decryptors. The problem is simple: if it becomes public knowledge that there is an exploitable flaw in a ransomware strain that lets victims decrypt their networks without paying a ransom, that alerts the criminals, who then fix the flaw and continue profitably targeting other victims. Such a flaw existed in Blackmatter (aka DarkSide)'s ransomware, allowing (so Wosar blogged) Emsisoft to quietly decrypt victims' files.
However, although the flaw was spotted in December 2020, DarkSide patched it on 12 January 2021 – one day after infosec firm Bitdefender released a free decryptor, having discovered the same flaw.
It appears, however, that after DarkSide's resurrection as BlackMatter, a very similar technical mistake was made by its developers, at least according to Emsisoft: "We were surprised when BlackMatter introduced a change to their ransomware payload that allowed us to once again recover victims' data without the need for a ransom to be paid."
BlackMatter is still active and is targeting agricultural organisations in the US, according to the US CISA infosec agency. Meanwhile, their fellow crooks REvil vanished offline last week amid US boasts that it along with "like-minded countries" had successfully landed a knockout blow against the gang. Britain's GCHQ and Ministry of Defence (representing the National Cyber Force state-sponsored hacking crew) both declined to say if they were involved.