The BlackMatter ransomware group has announced it has shut down operations, stating that key members are no longer "available", following pressure from local authorities.
The ransomware collective announced the closure of their operations effective 5 November, claiming that some of its key members are no longer “available,” which, if true, could be an indication that BlackMatter-affiliated threat actors may have been compromised or made the decision to no longer partake in ransomware activities.
It is important to note, that when a ransomware collective goes dark like BlackMatter and REvil, it doesn’t necessarily mean that the threat actors associated with the group will cease future cyber crime activities, according to Flashpoint analysts.
Re-emergence is common
BlackMatter announced its end following a major Europol operation in Switzerland and Ukraine, conducted in concert with US law enforcement, in which 12 people accused of running ransomware operations were targeted in raids on 29 October. The targets reportedly had more than 1,800 victims in 71 countries.
In the same month, a different transnational cyber operation forced REvil – another major ransomware gang – to go offline.
On numerous occasions, affiliates of a defunct ransomware group were quick to reorient themselves in the threat actor community by associating with active ransomware groups, or by starting their own, Flashpoint analysts have observed.
The analysts also assess with moderate confidence, based on earlier experiences, that following the fall of BlackMatter (and potentially REvil), new ransomware collectives will be formed.
Several ransomware groups that have gone offline, either temporarily or permanently, were later reborn or rebranded. This year, following a ban on ransomware ads by several top-tier cyber crime forums, ransomware operators adapted their recruiting techniques to these new rules and created RAMP, a forum for ransomware operators and developers, with Flashpoint analysts cautioning that BlackMatter’s closure may see its affiliates spread to other ransomware groups, or start their own, as has frequently happened before.
Notably, the spokesperson of the LockBit ransomware group took to XSS and used the opportunity to invite BlackMatter members and affiliates to live in China, where the threat actor claimed to live.
US-Russia Ransomware Talks
Flashpoint analysts have also observed threat actors discussing the news of BlackMatter’s apparent demise. The analysts also observed chatter in the threat actor community that Russian authorities – involved in diplomatic ransomware talks with the US – are potentially making "strategic concessions" with the US and forced the closure.
Earlier, threat actors on top-tier forums also noted that REvil, behind the Colonial Pipeline and JBS attacks, was first forced offline shortly after diplomatic talks started.
Peter Mackenzie, director of incident response at Sophos weighs in on the BlackMatter shutdown, explaining that it could just be part of a "rebrand".
“The ransomware attack against Colonial Pipeline in the US earlier this year resulted in the shutting down of DarkSide ransomware who had claimed responsibility, this resulted in DarkSide returning under the new name of BlackMatter shortly after."
"While the name was different, the core ransomware code was not, and it had the same weaknesses that allowed free decrypters to be produced, in October, a security company announced they had a decrypter for BlackMatter and had been secretly helping victims."
"Taking these factors into account, it is likely this is yet another ransomware group pretending to shutdown, when in reality, it is just a rebrand and launch of a new improved version sometime soon in the future,” Mackenzie said.
Any resurgence will be watched closely by Australian authorities as the updated Critical Infrastructure Bill is finalised. BlackMatter has shown a willingness and ability to attack CI providers, taking down a farmers’ cooperative in the US – a direct hit on its food supply chain.
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. She started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.