BlackMatter ransomware gang, which is believed to be a rebrand of DarkSide, has decided to end the project, giving in to the pressures of the local law enforcement authorities.
In 2021, we have seen many mainstream ransomware groups go underground and new groups emerging in their place. First, it was the DarkSide ransomware, the disappearance of which Hackread.com reported in May 2021. The group had attacked US Pipelines and was under great government scrutiny.
Then the REvil ransomware gang went underground after targeting numerous US IT firms. Soon after, two new groups Haron and BlackMatter emerged to benefit from the Ransomware as a Service (RaaS) frenzy.
BlackMatter ransomware gang, which is believed to be a rebrand of DarkSide, has decided to end the project, giving in to the pressures of the local law enforcement authorities.
BlackMatter Announces to Shut Down
According to the official shut down statement posted by DarkMatter on November 1st and acquired by a security group called VX-Underground, which usually publishes malware samples, ransomware-related events, source code, and papers online, the group will be offline within 48 hours.
VX-Underground also shared a screenshot of the message on their Twitter account. The original message, according to VX-Underground, was in the Russian language, and it was translated into English for the convenience of readers.
“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:
After 48 hours the entire infrastructure will be turned off, allowing:
* Issue mail to companies for further communication
* Get decryptor. For this write “give a decryptor” inside the company chat, where necessary.
We wish you all success, we were glad to work.”
The message was posted on the group’s RaaS portal to notify all past and present clients about its closure. Its affiliates would use this website to contact the core operators, seek support, and build new ransomware.
It is apparent from the announcement that the group’s services and the ransomware will become inaccessible after 48 hours, and new threat actors won’t be able to distribute or purchase BlackMatter ransomware.
Screenshots with the group’s statement in English and Russian language:
Cybersecurity Community Skeptical
The cybersecurity fraternity is uncertain regarding the closure of BlackMatter. As per Mimecast’s e-crime head, Carl Wearn, it is improbable that the threat actors will stop their malicious activities.
“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering… Many criminal organizations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name,” Wearn noted.
Nominet’s government cybersecurity expert, Steve Forbes, noted that successful groups like BlackMatter cannot stay aloof for long and may reemerge after a brief hiatus.
“Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.”
About BlackMatter’s Recent Attacks
The ransomware gang was recently used in attacks against critical infrastructure entities in the US, mainly in the agriculture sector, prompting the NSA, CIA, and the FBI to issue an advisory in Oct 2021 warning businesses about the ransomware attacks.
Some of the group’s latest targets according to its website include:
Image from BlackMatter’s website (Credit: Hackread.com)
