The BlackMatter Ransomware gang is reportedly ceasing all its operations due to increased pressure from the local enforcement authorities.
Many ransomware groups appeared and went underground during 2021, including the infamous DarkSide ransomware group. The group was under severe investigation from the authorities after attacking the US Pipelines.
The REvil ransomware gang also went underground after attacking multiple US IT organizations. After this, two ransomware groups emerged, BlackMatter (an alleged rebrand of DarkSide) and Haron, to take advantage of the Ransomware as a Service (RaaS) craze.
BlackMatter Announces its Shutdown
The ransomware gang declared its plan to close all its operations on the portal of Ransomware as a Service (RaaS), usually used by multiple cybercriminal groups to register for access to the BlackMatter ransomware strain.
The message was obtained by one of the vx-underground infosec group members who translated:
“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed.”
“After 48 hours the entire infrastructure will be turned off, allowing — Issue mail to companies for further communication;Get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work.”
BlackMatter’s statement in Russian and English
The cybersecurity association is quite skeptical regarding the shutting down of BlackMatter. Carl Wearn, the e-crime head of Mimecast, believes that it’s quite impossible for the threat actor to quit all malicious activities.
Wearn said:
“This is highly unlikely to be the end of the threat actors behind the BlackMatter group, and this looks like a classic rebrand or splintering… Many criminal organizations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name,”
Steve Forbes, the cybersecurity expert of the Nominet government, declared that successful cybercriminal gangs like BlackMatter cannot stay away from cybercriminal activities for long and may return after a brief period.
He declared:
“Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.”
BlackMatter’s Previous Attacks
As per the Cybersecurity and Infrastructure Security Agency, BlackMatter was first noticed in July as a RaaS group that offers provisions to cybercrime affiliates who then stage cybercrime attacks against companies.
With a possible rebranding of the DarkSide group, BlackMatter has been known to target various organizations in the US, demanding ransom ranging between $80,000 to $15 million. BlackMatter has attacked multiple US companies this year, including the Iowa-based grain company, demanding ransomware of $5.9 million.
However, it’s common for ransomware groups to shut down due to issues other than authorities’ pressure, like relationships issues with affiliates or technical problems.
According to the CTO and co-founder of BreachQuest, Jake Williams said:
“At this point it’s not clear whether core group members are ‘unavailable’ because they are in custody or have simply decided the stakes are too high to continue operations,”
“But the note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping.”
Image Credits: Hackread.com (An image from the website of BlackMatter)
Williams also revealed an issue in BlackMatter’s ransomware that ended up costing its affiliates and operators a few million last month. Therefore, it wouldn’t have been a lot of pressure put on BlackMatter to shut down as the group had already hurt its relationship with the affiliates.
According to a New Zealand-based cybersecurity firm, Emsisoft, it has prevented “tens of millions of dollars” of ransomware from reaching the BlackMatter gang. After a significant flaw was revealed in the group, Emsisoft helped the gang’s victims recover their encrypted files without paying any ransom.
A threat analyst of Emsisoft, Brett Callow, mentioned that he considered their decryption campaign the end of BlackMatter, but he isn’t too sure anymore.
According to Callow:
“It’s impossible to say whether this will be a permanent exit or simply another rebrand,”
“Let’s hope it’s the former.”
As per a senior cyber threat intelligence analyst of Digital Shadows, Xue Yin Peh:
“Although BlackMatter’s announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter,”
“1) Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities; 2) Members or affiliates are absorbed into the ransomware-as-a-service programs of other groups; 3) BlackMatter will rebrand into a new program under another name. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools, and then re-emerge with a new and improved payload.”
