Blackmatter Ransomware Victims Helped with a Secret Decryptor

BlackMatter is claiming to be a successor to Darkside and REvil, two other notorious ransomware threat actors responsible for the cyberattacks on Colonial Pipeline and Kaseya.

The cybersecurity company Emsisoft, uncovered a vulnerability in the threat actor’s encryption soon after the BlackMatter ransomware attacks were launched.

This specific vulnerability was allowing the cybersecurity company to produce a decryptor that let them restore victims’ files without paying a ransom.

Since then, we have been busy helping BlackMatter victims recover their data. With the help of law enforcement agencies, CERTs and private sector partners in multiple countries, we were able to reach numerous victims, helping them avoid tens of millions of dollars in demands.


The company used more than referrals, as it also found interesting details through the BlackMatter samples and ransom notes publicly uploaded to various sites.

How Were the Victims Helped?

When a BlackMatter sample was made public, the researchers were able to extract the ransom letter and obtain access to the victim’s and ransomware gang’s negotiation. After identifying the victim, Emsisoft would contact them privately about the decryptor, allowing them to avoid paying the ransom.

Other individuals may have found the ransomware samples and notes and they could have hijacked negotiation sessions

Read More: