BlackMatter ransomware gang claims to have ceased operation

Despite the announcement made via its client portal, experts believe the hacker group will soon be planning a return

Distributors of the BlackMatter ransomware have announced plans to end the project entirely amid mounting pressure from domestic law enforcement.

The announcement made by the cyber criminals was acquired by vx-underground, the information security group which collects and publishes malware source code, samples, and papers online.

The criminal group posted the message to its online ransomware-as-a-service (RaaS) portal, notifying past and current clients who use it to get access to BlackMatter.

Roughly translated from Russian to English, the statement reads:

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

  • Issue mail to companies for further communication.
  • Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.

We wish you all success, we were glad to work. 

The announcement appears to revoke access to the ransomware and the group's services, preventing any new threat actors from purchasing or distributing the BlackMatter ransomware.

BlackMatter has been used recently in a spate of attacks against US-based critical infrastructure entities, primarily in the agriculture space.

It prompted the US' CISA, FBI, and NSA to issue a joint advisory in October warning businesses to the danger of the attempts made against the likes of an Iowa farm cooperative, which was held to a ransom of $5.9 million (£4.3 million) in September. 

Despite shutting the operation, industry experts remain unconvinced it will spell the end of the group behind the ransomware, saying that a return under a different guise is likely.

“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering," Carl Wearn, head of e-crime at Mimecast said to IT Pro

"Cyber criminals that are making this much money rarely give up, as the greed that drives them to commit the crimes in the first place rarely allows them to stop. Many criminal organisations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name."

Echoing the thinking, Steve Forbes, government cyber security expert at Nominet said to IT Pro: "Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.

"This could, of course, be a deliberate ploy if they feel that their communications with affiliates is being monitored, perhaps to divert the attention of law enforcement to other ransomware gangs."

Others said the group behind BlackMatter was itself a rebrand of other ransomware groups that came before it. Given the lucrative nature of ransomware, the motivation to continue is likely to remain. 

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

"Ransomware is such a lucrative ‘business’, with a reliable flow of money, that it’s unlikely the core BlackMatter developers will be out of action for long," said Toby Lewis, global head of threat analysis at Darktrace to IT Pro. 

"Rebrands are in fact so common that BlackMatter themselves were considered a rebrand from DarkSide, who in turn were believed to be a rebrand of elements of REvil. This trend is another indicator of the professionalisation of the cyber-crime industry, as groups increasingly behave like business entities, paying heed to their brand, reputation and even public relations."

Most recently, a ransomware gang also believed to be a rebrand of a different successful group claimed to have hacked the NRA last week.

Russia-based Grief, believed to be an Evil Corp offshoot, claimed to have stolen files from the firearm association and leaked it on the dark web, threatening to leak more if the ransom wasn't paid.

Evil Corp is currently under sanctions from the US Treasury Department as the group is believed to behind the theft of more than $100 million (£73.3 million) from financial institutions in more than 40 countries.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021
Almost 70% of CISOs expect a ransomware attack
ransomware

Almost 70% of CISOs expect a ransomware attack

19 Oct 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021