BlackMatter ransomware gang claims to have ceased operation

A 2D mockup image of a business paying a cyber criminal for a ransom
(Image credit: Shutterstock)

Distributors of the BlackMatter ransomware have announced plans to end the project entirely amid mounting pressure from domestic law enforcement.

The announcement made by the cyber criminals was acquired by vx-underground, the information security group which collects and publishes malware source code, samples, and papers online.

The criminal group posted the message to its online ransomware-as-a-service (RaaS) portal, notifying past and current clients who use it to get access to BlackMatter.

Roughly translated from Russian to English, the statement reads:

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

  • Issue mail to companies for further communication.
  • Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.

We wish you all success, we were glad to work.

The announcement appears to revoke access to the ransomware and the group's services, preventing any new threat actors from purchasing or distributing the BlackMatter ransomware.

BlackMatter has been used recently in a spate of attacks against US-based critical infrastructure entities, primarily in the agriculture space.

It prompted the US' CISA, FBI, and NSA to issue a joint advisory in October warning businesses to the danger of the attempts made against the likes of an Iowa farm cooperative, which was held to a ransom of $5.9 million (£4.3 million) in September.

Despite shutting the operation, industry experts remain unconvinced it will spell the end of the group behind the ransomware, saying that a return under a different guise is likely.

“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering," Carl Wearn, head of e-crime at Mimecast said to IT Pro.

"Cyber criminals that are making this much money rarely give up, as the greed that drives them to commit the crimes in the first place rarely allows them to stop. Many criminal organisations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name."

Echoing the thinking, Steve Forbes, government cyber security expert at Nominet said to IT Pro: "Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.

"This could, of course, be a deliberate ploy if they feel that their communications with affiliates is being monitored, perhaps to divert the attention of law enforcement to other ransomware gangs."

Others said the group behind BlackMatter was itself a rebrand of other ransomware groups that came before it. Given the lucrative nature of ransomware, the motivation to continue is likely to remain.


The best defence against ransomware

How ransomware is evolving and how to defend against it


"Ransomware is such a lucrative ‘business’, with a reliable flow of money, that it’s unlikely the core BlackMatter developers will be out of action for long," said Toby Lewis, global head of threat analysis at Darktrace to IT Pro.

"Rebrands are in fact so common that BlackMatter themselves were considered a rebrand from DarkSide, who in turn were believed to be a rebrand of elements of REvil. This trend is another indicator of the professionalisation of the cyber-crime industry, as groups increasingly behave like business entities, paying heed to their brand, reputation and even public relations."

Most recently, a ransomware gang also believed to be a rebrand of a different successful group claimed to have hacked the NRA last week.

Russia-based Grief, believed to be an Evil Corp offshoot, claimed to have stolen files from the firearm association and leaked it on the dark web, threatening to leak more if the ransom wasn't paid.

Evil Corp is currently under sanctions from the US Treasury Department as the group is believed to behind the theft of more than $100 million (£73.3 million) from financial institutions in more than 40 countries.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.