{ "id": "8e55912e-e648-430f-b8c8-5486af28e366", "created_at": "2026-04-06T02:12:31.378296Z", "updated_at": "2026-04-10T03:35:29.198463Z", "deleted_at": null, "sha1_hash": "8b5bdd3fdb83c45c738b7032ba7afc392562d42b", "title": "Hitting the BlackMatter gang where it hurts: In the wallet", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 647403, "plain_text": "Hitting the BlackMatter gang where it hurts: In the wallet\r\nBy Fabian Wosar\r\nPublished: 2021-10-24 · Archived: 2026-04-06 02:10:30 UTC\r\nEarlier this year, Emsisoft researchers discovered a critical flaw in the BlackMatter ransomware that allowed\r\nthem to help victims recover their files without paying a ransom, preventing millions of dollars falling into the\r\nhands of cybercriminals. The work has been conducted quietly and privately so as not to alert the BlackMatter\r\noperators to the flaw. For the reasons discussed below, we believe it is now safe to share the story without\r\njeopardizing the operation.\r\nOver the past decade, Emsisoft has dedicated itself to the global fight against ransomware.\r\nDuring this time, we have seen numerous ransomware gangs come and go. The exact motivations for their\r\ndisappearance are often unclear, but we can make some well-educated guesses. \r\nPerhaps the most common reason is financial fulfillment. Threat actors run a successful campaign, generate\r\nenough money for their participants to retire comfortably and choose to cease operations. In other situations,\r\nretirement is more about self-preservation, with threat actors withdrawing from the ransomware game after\r\nattracting too much unwanted attention. \r\nFor BlackMatter’s predecessor, DarkSide, it was very much a case of the latter.\r\nA brief history\r\nDarkSide had been a major player in the ransomware-as-a-service landscape since August 2020, and generally\r\ntargeted large private sector organizations that could afford seven-figure ransom demands. It had been one of the\r\nmost active groups until early May 2021, when the gang bit off more than it could chew by attacking the largest\r\npipeline system for refined oil products in the U.S.: Colonial Pipeline. The attack, which caused fuel shortages and\r\nforced some airlines to reschedule flights, impacted the daily lives of millions of people on the Eastern seaboard,\r\ndrawing a large amount of attention from the press – as well as the ire of the U.S. authorities. \r\nThe U.S.’ retaliation was swift. Within days, DarkSide had lost control over some of its critical infrastructure,\r\nincluding bitcoin wallets that contained the $4.4 million ransom Colonial Pipeline had hastily paid in the hopes of\r\nquickly getting back to an operational state. Feeling the pressure, DarkSide went dark – until, that was, late July\r\n2021.\r\nOn July 21, 2021, a new post made by the user account “BlackMatter” appeared on a popular underground forum:\r\nhttps://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nPage 1 of 6\n\nMachine translation of an advertisement post looking for access to corporate networks, courtesy of our friends at\r\nCurated Intelligence\r\nThe advertiser was looking to recruit parties who could provide access to corporate networks of companies with\r\nmore than $100,000,000 yearly revenue. This is a common practice for ransomware-as-a-service operations,\r\nwhere the different aspects of an attack are usually outsourced to other, more specialized groups or individuals. In\r\nthis particular case, the BlackMatter user was looking to recruit initial access providers and brokers.\r\nShortly after, on July 27, 2021, it became apparent who this mysterious poster was and why they were willing to\r\npurchase access to company networks when a new leak site was discovered on the dark web: BlackMatter\r\nRansomware.\r\nhttps://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nPage 2 of 6\n\nBlackMatter ransomware leak website\r\nOne of the most interesting aspects of the BlackMatter leak site is the list of prohibited targets that must not be\r\nattacked by any BlackMatter affiliate. The industries on this list very much reflect the industries that the U.S.\r\ndesignates as critical infrastructure – the same industries that got DarkSide into trouble in the first place, and the\r\nsame industries that U.S. President Joe Biden declared as off-limits to malicious cyber activity in a private\r\nmeeting with Russian President Vladimir Putin in June 2021. But BlackMatter had and has no intention of\r\nadhering to its own rules. Since the leak site was launched, the gang has attacked U.S. critical infrastructure\r\nentities including blood testing facilities and organizations in the food and agriculture sector.\r\nWhen we first got our hands on an actual BlackMatter payload on July 31st, 2021, the initial rumors that\r\nBlackMatter could be a repaint of the DarkSide operation were quickly confirmed. The very first BlackMatter\r\nversion turned out to be almost identical to the last DarkSide version, with the only difference being minor\r\nincremental improvements. This first version was quickly followed up with multiple new iterations of the\r\nBlackMatter payload and, at the time of writing, the latest internal version number of the payload has reached 2.0.\r\nRepeating past mistakes\r\nhttps://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nPage 3 of 6\n\nDarkSide’s original run wasn’t flawless. For example, on December 12, 2020, Emsisoft researchers noticed a\r\nmistake the DarkSide operators had made that allowed us to decrypt the data encrypted by the Windows version of\r\nthe ransomware without the need for a ransom to be paid. The gang fixed this flaw on January 12, 2021.\r\nPublicly disclosing the existence of a flaw in ransomware can alert the threat actors to its existence, resulting in\r\nthem immediately fixing the problem. Consequently, in the case of gangs that we believe to be technically\r\nsophisticated – such as DarkSide/BlackMatter – we do not publicly announce or disclose the existence of\r\nvulnerabilities. Instead, we communicate our decryption capabilities in private via a network of law enforcement\r\nagencies and trusted parties. In our opinion, this approach enables us to help as many victims for as long as\r\npossible. Additionally, it creates an incentive for victims to report ransomware incidents to local authorities as they\r\nmay, in return, be able to provide crucial intelligence from third parties such as us which avoids the need for\r\nransom demands to be paid. \r\nKnowing DarkSide’s past mistakes, we were surprised when BlackMatter introduced a change to their\r\nransomware payload that allowed us to once again recover victims’ data without the need for a ransom to be paid.\r\nAs soon as we became aware of the gang’s error, we quietly reached out to our partners, who then assisted us in\r\nreaching as many victims as possible before they paid BlackMatter’s ransom. \r\nSince then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement\r\nagencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims,\r\nhelping them avoid tens of millions of dollars in demands.\r\nHowever, it wasn’t all smooth sailing. One of the biggest challenges we faced during the operation related to\r\nsocial media, and Twitter in particular. During one of the more high profile BlackMatter incidents in September\r\n2021, the ransom note was leaked. Ransom notes, including BlackMatter’s, contain critical information intended\r\nfor the victim only, including instructions on how to reach out and communicate with the threat actor.\r\nConsequently, anybody who has access to a note can interact with the gang as though they were the victim. \r\nThe broad Twitter infosec community quickly picked up on the leak, got their hands on the private link intended\r\nfor the victim only, and started to hijack the negotiations being held on the BlackMatter communication platform.\r\nSoon, both the victim and the BlackMatter operators were confronted with an onslaught of insults and trolling\r\nbehavior. In addition, screenshots of the conversations were taken and circulated within the Twitter community,\r\nwhich caused even more people to join the “fun”, quickly derailing any sort of intelligence gathering by law\r\nenforcement and security researchers in the process.\r\nhttps://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nPage 4 of 6\n\nExtended verification introduced as a consequence of extensive trolling\r\nWe have been fighting ransomware for more than ten years, so we understand the frustration the infosec\r\ncommunity feels towards ransomware threat actors better than anyone. However, as cathartic as throwing\r\nexpletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone\r\nelse out in the process. Unfortunately, that meant one of the most valuable tools we had to reach victims\r\ndisappeared literally overnight, leading to missed victims who may have unnecessarily paid ransoms. \r\nThe inevitable end\r\nWhile reading this post, you might have had a hunch where all of this was heading. After all, if BlackMatter\r\nhadn’t figured out that something was wrong on their own, we would have continued our work in silence. But,\r\nunfortunately, BlackMatter released an update several weeks ago that fixed the flaw we were using to help\r\nvictims.\r\nhttps://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nPage 5 of 6\n\nHowever, just because this specific vulnerability has run its course doesn’t mean our work is done. While we are\r\nconfident that we managed to reach many BlackMatter victims, there are still some victims that we haven’t been\r\nable to contact.\r\nBeyond BlackMatter, our team has identified vulnerabilities in about a dozen active ransomware families. In these\r\ncases, we can recover the vast majority of victims’ encrypted data without a ransom payment. As with\r\nBlackMatter, we aren’t making the list of families public until the vulnerability has been found and fixed by their\r\nrespective operators. This is why we encourage victims to report incidents to law enforcement, as they may be\r\nable to direct them to us or other companies that can help. \r\nEven if we cannot help them avoid paying a ransom, our battle-earned expertise and world-class tools can often\r\nallow them to recover much faster, frequently shaving days or even weeks off the recovery time.\r\nLast but not least, we are also issuing an open invitation to all law enforcement agencies, governmental\r\ninstitutions, and CERTs, as well as all insurance and digital forensic and incident response providers. We are\r\nconstantly expanding both our capabilities and network to reach and help more victims. If you are interested in\r\nwhat we can do for you, your clients, or even your citizens, don’t hesitate to reach out.\r\nSource: https://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nhttps://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.emsisoft.com/en/39181/on-the-matter-of-blackmatter/" ], "report_names": [ "on-the-matter-of-blackmatter" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441551, "ts_updated_at": 1775792129, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b5bdd3fdb83c45c738b7032ba7afc392562d42b.pdf", "text": "https://archive.orkl.eu/8b5bdd3fdb83c45c738b7032ba7afc392562d42b.txt", "img": "https://archive.orkl.eu/8b5bdd3fdb83c45c738b7032ba7afc392562d42b.jpg" } }