Distributors of the BlackMatter ransomware have announced plans to end the project entirely amid mounting pressure from domestic law enforcement.
The announcement made by the cyber criminals was acquired by vx-underground, the information security group which collects and publishes malware source code, samples, and papers online.
The criminal group posted the message to its online ransomware-as-a-service (RaaS) portal, notifying past and current clients who use it to get access to BlackMatter.
Roughly translated from Russian to English, the statement reads:
Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:
- Issue mail to companies for further communication.
- Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.
We wish you all success, we were glad to work.
The announcement appears to revoke access to the ransomware and the group's services, preventing any new threat actors from purchasing or distributing the BlackMatter ransomware.
BlackMatter has been used recently in a spate of attacks against US-based critical infrastructure entities, primarily in the agriculture space.
It prompted the US' CISA, FBI, and NSA to issue a joint advisory in October warning businesses to the danger of the attempts made against the likes of an Iowa farm cooperative, which was held to a ransom of $5.9 million (£4.3 million) in September.
Despite shutting the operation, industry experts remain unconvinced it will spell the end of the group behind the ransomware, saying that a return under a different guise is likely.
“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering," Carl Wearn, head of e-crime at Mimecast said to IT Pro.
"Cyber criminals that are making this much money rarely give up, as the greed that drives them to commit the crimes in the first place rarely allows them to stop. Many criminal organisations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name."
Echoing the thinking, Steve Forbes, government cyber security expert at Nominet said to IT Pro: "Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.
"This could, of course, be a deliberate ploy if they feel that their communications with affiliates is being monitored, perhaps to divert the attention of law enforcement to other ransomware gangs."
Others said the group behind BlackMatter was itself a rebrand of other ransomware groups that came before it. Given the lucrative nature of ransomware, the motivation to continue is likely to remain.
RELATED RESOURCE
The best defence against ransomware
How ransomware is evolving and how to defend against it
"Ransomware is such a lucrative ‘business’, with a reliable flow of money, that it’s unlikely the core BlackMatter developers will be out of action for long," said Toby Lewis, global head of threat analysis at Darktrace to IT Pro.
"Rebrands are in fact so common that BlackMatter themselves were considered a rebrand from DarkSide, who in turn were believed to be a rebrand of elements of REvil. This trend is another indicator of the professionalisation of the cyber-crime industry, as groups increasingly behave like business entities, paying heed to their brand, reputation and even public relations."
Most recently, a ransomware gang also believed to be a rebrand of a different successful group claimed to have hacked the NRA last week.
Russia-based Grief, believed to be an Evil Corp offshoot, claimed to have stolen files from the firearm association and leaked it on the dark web, threatening to leak more if the ransom wasn't paid.
Evil Corp is currently under sanctions from the US Treasury Department as the group is believed to behind the theft of more than $100 million (£73.3 million) from financial institutions in more than 40 countries.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
NCA confirms arrest after airport cyber disruptionNews Disruption is easing across Europe following the ransomware incident
-
Cyber professionals are losing sleep over late night attacksNews Hackers are biding their time and launching attacks when businesses can’t respond
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
