BlackMatter is claiming to be a successor to Darkside and REvil, two other notorious ransomware threat actors responsible for the cyberattacks on Colonial Pipeline and Kaseya.

The cybersecurity company Emsisoft, uncovered a vulnerability in the threat actor’s encryption soon after the BlackMatter ransomware attacks were launched.

This specific vulnerability was allowing the cybersecurity company to produce a decryptor that let them restore victims’ files without paying a ransom.

Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands.


The company used more than referrals, as it also found interesting details through the BlackMatter samples and ransom notes publicly uploaded to various sites.

How Were the Victims Helped?

When a BlackMatter sample was made public, the researchers were able to extract the ransom letter and obtain access to the victim’s and ransomware gang’s negotiation. After identifying the victim, Emsisoft would contact them privately about the decryptor, allowing them to avoid paying the ransom.

Other individuals may have found the ransomware samples and notes and they could have hijacked negotiation sessions or released photographs of the discussions on Twitter.

As a result, BlackMatter locked down its negotiation site, allowing only victims to access it, making it difficult for researchers to discover victims this way.

We have been fighting ransomware for more than ten years, so we understand the frustration the infosec community feels towards ransomware threat actors better than anyone.

However, as cathartic as throwing expletives might have felt, it resulted in BlackMatter locking down their platform, and locking us and everyone else out in the process.


As explained by BleepingComputer, BlackMatter found out about the decryptor and was able to fix the bugs that were allowing the researchers to decrypt victims’ files.

One of the ways BlackMatter may have become aware of the existence of the flaw is by monitoring networks and company communications post breach. It is why we always recommend victims to switch to a secure communications channel, like a dedicated Signal group for example, as well as ensure none of the compromised network is involved in the general recovery processes.


If you liked this article, follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post.

DarkSide Ransomware 101

REvil/Sodinokibi Ransomware: Origin, Victims, Prevention Strategies

BlackMatter Ransomware Hits New Cooperative

Leave a Reply

Your email address will not be published. Required fields are marked *