Flipping the Script: How Security Researchers Cost a Ransomware Developer Millions of Dollars

The battle between infosec and hackers isn't always uphill for the former. Occasionally, the good guys experience a huge win. This is one of those times.

Ransomware is one of the oldest attack methods — and to this day, it remains one of the most successful. Whether dealing with business or personal data, most of us don’t back up our files as often as we should. Whether in our private or professional lives, most of us don’t browse with the level of care that we should. 

Ransomware developers thrive on this carelessness. A business without proper backups can do little except pay the ransom. And when malicious code manages to lock down critical infrastructure such as healthcare devices, it can very easily cost people their lives. 

It’s therefore unsurprising that, over the past two years, we’ve seen a massive surge in ransomware attacks. As reported by The Intelligencer, a complex blend of geopolitical and cybersecurity factors coupled with better payment infrastructure have together created a perfect storm for criminals. Ransomware attacks have never been easier to pull off, nor more profitable. 

This has had one very fortunate side effect — given the ease with which they can now execute an attack, some criminals have grown complacent. Consider, for instance, what recently happened with ransomware-as-a-service provider BlackMatter. You might recall that earlier this month, TechCrunch reported on the operation’s plans to shut down due to ‘pressure from authorities.’

Law enforcement may not be the only reason the criminal developers jumped ship. As reported by ZDNet, the BlackMatter ransomware platform contained a rather glaring security flaw that allowed researchers at Emsisoft to extract its decryption keys. And that’s precisely what the researchers did, quietly providing victims of BlackMatter with keys for several months, costing the operation millions of dollars in the process. 

Known initially as DarkSide, BlackMatter gained notoriety as the culprit behind the May 2021 colonial pipeline attack, ZDNet Reports. Emsisoft first uncovered a vulnerability in the malicious software in December 2020, though it was patched out just a month later.

With the launch of BlackMatter — by all indications a rebrand of DarkSide — Emsisoft discovered a similar programming flaw. Though BlackMatter eventually closed the second loophole, the damage was already done. The operation had already lost a considerable sum of money, to say nothing of the reputational damage in criminal circles. 

Our guess is that while law enforcement certainly did play a part in BlackMatter’s shutdown, the hits it took to its reputation played just as significant a part. Recall that 60% of companies close within six months of a data breach (Cybersecurity Ventures). That exact figure could most certainly be applied to cybercrime operations — between the lost revenue and the damage to its reputation, BlackMatter was likely already struggling.

The crackdown was just the final nail in the coffin. 

The back-and-forth between security personnel and cybercriminals is a never ending one. But stories like this are a reminder that, although security teams face a daunting landscape, their task is not an impossible one. Criminals make mistakes just like anyone else. 

And we can exploit those mistakes to keep people safe.