CybelAngel and F-Secure share views on BlackMatter shutdown

The BlackMatter ransomware operation, which came to prominence earlier this year is allegedly shutting down due to “pressure from the authorities.”

The BlackMatter ransomware operation, which came to prominence earlier this year following the demise of the DarkSide ransomware gang, is allegedly shutting down due to “pressure from the authorities.”

According to a report on TechCrunch, the group announced plans to shut down in a message posted on its ransomware-as-a-service portal, where other criminal groups typically register in order to get access to the BlackMatter ransomware strain. The message, obtained by a member of the vx-underground infosec group, translates to: “Due to certain unsolvable circumstances associated with pressure from the authorities, the project is closed.”

Cybersecurity companies CybelAngel and F-Secure share their views with Cyber Magazine on the news.

David Sygula, Senior Cybersecurity Analyst at CybelAngel says: “Although no clear confirmation has been made by the group so far, their leaking website is offline. There's always a bit of a mystery when a group stops their activity, the reasons are never clear, but either way there is little chance that it means the end of the group.

“A rebranding sounds like a good option and it's also what is to be expected. Every time a group catches too much attention, it's easier to rebrand and start from scratch - or so it seems - to blur their tracks. But being ironically victims of their own success and no matter under what name, they will come back, and we will quickly make the link with their previous operations. Their name may change, but their techniques won't.”

Callum Roxan, Head of Threat Intelligence at F-Secure adds: “As BlackMatter is widely considered to be a rebranded group of DarkSide, that similarly "shut down" due to external pressures, it is certainly possible the group could rebrand again and continue to operate. However, the BlackMatter announcement does suggest that some group members may no longer be at liberty to operate as cyber-criminals and this could cause the remaining members to splinter or find other pursuits due to the heat they may be feeling from external parties. In the wider picture, there remains a number of active Ransomware-as-a-Service (RaaS) operators and affiliates that ex-BlackMatter members can look to operate with going forward if they wish.

Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit concludes: “When a ransomware group shuts, affiliates are now free to join other groups or rivals to continue their operations. BlackMatter running a Ransomware-as-a-Service model and announcing a shutdown would indicate they are no longer providing the actual ransomware encryption service. The developers behind the ransomware are typically highly skilled and if they have not been identified by authorities, they could potentially live a normal life joining a corporate organization or move on to join another group.

“When a ransomware group announces a shutdown, they have been known to release a master decryption key to the public before calling it quits. BlackMatter has done just that in their announcement, and it is likely victims of BlackMatter will soon be able to obtain a decryptor. However, BlackMatter has been assumed to be an incarnation of DarkSide ransomware (responsible for Colonial Pipeline attack) who also announced a shutdown after increased attention from authorities and government. With BlackMatter now shutting down after just a few months of operations, it does seem to indicate that law enforcement may have already known the identity of the group members, and this was realized by the group.

“With recent arrests and takedowns of different ransomware groups (REvil infrastructure taken down, Europol detaining a Ukrainian group linked to a few ransomware attacks), it is probably a proactive step for these ransomware groups to lay low for the moment. This shouldn’t be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups that are operating so organizations and defenders should not be taking a breather, but focus on disrupting them further.

“It would not be surprising if this particular group rebrands in later months, as this would not be the first time nor the first group who has rebranded (eg. REvil a rebrand of GandCrab, Conti ransomware being the successor of Ryuk or Karma ransomware likely a rebrand of Nemty ransomware).”


Featured Articles

Tech & AI LIVE: Key Events that are Vital for Cybersecurity

Connecting the world’s technology and AI leaders, Tech & AI LIVE returns in 2024, find out more on what’s to come in 2024

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

Technology & AI

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI