Nov 04, 2021

CybelAngel and F-Secure share views on BlackMatter shutdown

CybelAngel
F-Secure
Cybersecurity
Ransomware
4 min
The BlackMatter ransomware operation, which came to prominence earlier this year is allegedly shutting down due to “pressure from the authorities.”

The BlackMatter ransomware operation, which came to prominence earlier this year following the demise of the DarkSide ransomware gang, is allegedly shutting down due to “pressure from the authorities.”

According to a report on TechCrunch, the group announced plans to shut down in a message posted on its ransomware-as-a-service portal, where other criminal groups typically register in order to get access to the BlackMatter ransomware strain. The message, obtained by a member of the vx-underground infosec group, translates to: “Due to certain unsolvable circumstances associated with pressure from the authorities, the project is closed.”

Cybersecurity companies CybelAngel and F-Secure share their views with Cyber Magazine on the news.

David Sygula, Senior Cybersecurity Analyst at CybelAngel says: “Although no clear confirmation has been made by the group so far, their leaking website is offline. There's always a bit of a mystery when a group stops their activity, the reasons are never clear, but either way there is little chance that it means the end of the group.

“A rebranding sounds like a good option and it's also what is to be expected. Every time a group catches too much attention, it's easier to rebrand and start from scratch - or so it seems - to blur their tracks. But being ironically victims of their own success and no matter under what name, they will come back, and we will quickly make the link with their previous operations. Their name may change, but their techniques won't.”

Callum Roxan, Head of Threat Intelligence at F-Secure adds: “As BlackMatter is widely considered to be a rebranded group of DarkSide, that similarly "shut down" due to external pressures, it is certainly possible the group could rebrand again and continue to operate. However, the BlackMatter announcement does suggest that some group members may no longer be at liberty to operate as cyber-criminals and this could cause the remaining members to splinter or find other pursuits due to the heat they may be feeling from external parties. In the wider picture, there remains a number of active Ransomware-as-a-Service (RaaS) operators and affiliates that ex-BlackMatter members can look to operate with going forward if they wish.

Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit concludes: “When a ransomware group shuts, affiliates are now free to join other groups or rivals to continue their operations. BlackMatter running a Ransomware-as-a-Service model and announcing a shutdown would indicate they are no longer providing the actual ransomware encryption service. The developers behind the ransomware are typically highly skilled and if they have not been identified by authorities, they could potentially live a normal life joining a corporate organization or move on to join another group.

“When a ransomware group announces a shutdown, they have been known to release a master decryption key to the public before calling it quits. BlackMatter has done just that in their announcement, and it is likely victims of BlackMatter will soon be able to obtain a decryptor. However, BlackMatter has been assumed to be an incarnation of DarkSide ransomware (responsible for Colonial Pipeline attack) who also announced a shutdown after increased attention from authorities and government. With BlackMatter now shutting down after just a few months of operations, it does seem to indicate that law enforcement may have already known the identity of the group members, and this was realized by the group.

“With recent arrests and takedowns of different ransomware groups (REvil infrastructure taken down, Europol detaining a Ukrainian group linked to a few ransomware attacks), it is probably a proactive step for these ransomware groups to lay low for the moment. This shouldn’t be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups that are operating so organizations and defenders should not be taking a breather, but focus on disrupting them further.

“It would not be surprising if this particular group rebrands in later months, as this would not be the first time nor the first group who has rebranded (eg. REvil a rebrand of GandCrab, Conti ransomware being the successor of Ryuk or Karma ransomware likely a rebrand of Nemty ransomware).”

Share article