IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BlackMatter ransomware gang claims to have ceased operation

Despite the announcement made via its client portal, experts believe the hacker group will soon be planning a return

Distributors of the BlackMatter ransomware have announced plans to end the project entirely amid mounting pressure from domestic law enforcement.

The announcement made by the cyber criminals was acquired by vx-underground, the information security group which collects and publishes malware source code, samples, and papers online.

The criminal group posted the message to its online ransomware-as-a-service (RaaS) portal, notifying past and current clients who use it to get access to BlackMatter.

Roughly translated from Russian to English, the statement reads:

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

  • Issue mail to companies for further communication.
  • Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.

We wish you all success, we were glad to work. 

The announcement appears to revoke access to the ransomware and the group's services, preventing any new threat actors from purchasing or distributing the BlackMatter ransomware.

BlackMatter has been used recently in a spate of attacks against US-based critical infrastructure entities, primarily in the agriculture space.

It prompted the US' CISA, FBI, and NSA to issue a joint advisory in October warning businesses to the danger of the attempts made against the likes of an Iowa farm cooperative, which was held to a ransom of $5.9 million (£4.3 million) in September. 

Despite shutting the operation, industry experts remain unconvinced it will spell the end of the group behind the ransomware, saying that a return under a different guise is likely.

“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering," Carl Wearn, head of e-crime at Mimecast said to IT Pro

"Cyber criminals that are making this much money rarely give up, as the greed that drives them to commit the crimes in the first place rarely allows them to stop. Many criminal organisations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name."

Echoing the thinking, Steve Forbes, government cyber security expert at Nominet said to IT Pro: "Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.

"This could, of course, be a deliberate ploy if they feel that their communications with affiliates is being monitored, perhaps to divert the attention of law enforcement to other ransomware gangs."

Others said the group behind BlackMatter was itself a rebrand of other ransomware groups that came before it. Given the lucrative nature of ransomware, the motivation to continue is likely to remain. 

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

"Ransomware is such a lucrative ‘business’, with a reliable flow of money, that it’s unlikely the core BlackMatter developers will be out of action for long," said Toby Lewis, global head of threat analysis at Darktrace to IT Pro. 

"Rebrands are in fact so common that BlackMatter themselves were considered a rebrand from DarkSide, who in turn were believed to be a rebrand of elements of REvil. This trend is another indicator of the professionalisation of the cyber-crime industry, as groups increasingly behave like business entities, paying heed to their brand, reputation and even public relations."

Most recently, a ransomware gang also believed to be a rebrand of a different successful group claimed to have hacked the NRA last week.

Russia-based Grief, believed to be an Evil Corp offshoot, claimed to have stolen files from the firearm association and leaked it on the dark web, threatening to leak more if the ransom wasn't paid.

Evil Corp is currently under sanctions from the US Treasury Department as the group is believed to behind the theft of more than $100 million (£73.3 million) from financial institutions in more than 40 countries.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022