IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BlackMatter ransomware gang claims to have ceased operation

Despite the announcement made via its client portal, experts believe the hacker group will soon be planning a return

Distributors of the BlackMatter ransomware have announced plans to end the project entirely amid mounting pressure from domestic law enforcement.

The announcement made by the cyber criminals was acquired by vx-underground, the information security group which collects and publishes malware source code, samples, and papers online.

The criminal group posted the message to its online ransomware-as-a-service (RaaS) portal, notifying past and current clients who use it to get access to BlackMatter.

Roughly translated from Russian to English, the statement reads:

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

  • Issue mail to companies for further communication.
  • Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.

We wish you all success, we were glad to work. 

The announcement appears to revoke access to the ransomware and the group's services, preventing any new threat actors from purchasing or distributing the BlackMatter ransomware.

BlackMatter has been used recently in a spate of attacks against US-based critical infrastructure entities, primarily in the agriculture space.

It prompted the US' CISA, FBI, and NSA to issue a joint advisory in October warning businesses to the danger of the attempts made against the likes of an Iowa farm cooperative, which was held to a ransom of $5.9 million (£4.3 million) in September. 

Despite shutting the operation, industry experts remain unconvinced it will spell the end of the group behind the ransomware, saying that a return under a different guise is likely.

“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering," Carl Wearn, head of e-crime at Mimecast said to IT Pro

"Cyber criminals that are making this much money rarely give up, as the greed that drives them to commit the crimes in the first place rarely allows them to stop. Many criminal organisations claim to shut down in an attempt to reduce the heat, just to splinter, or return after a brief hiatus under a different name."

Echoing the thinking, Steve Forbes, government cyber security expert at Nominet said to IT Pro: "Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves. If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future.

"This could, of course, be a deliberate ploy if they feel that their communications with affiliates is being monitored, perhaps to divert the attention of law enforcement to other ransomware gangs."

Others said the group behind BlackMatter was itself a rebrand of other ransomware groups that came before it. Given the lucrative nature of ransomware, the motivation to continue is likely to remain. 

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

"Ransomware is such a lucrative ‘business’, with a reliable flow of money, that it’s unlikely the core BlackMatter developers will be out of action for long," said Toby Lewis, global head of threat analysis at Darktrace to IT Pro. 

"Rebrands are in fact so common that BlackMatter themselves were considered a rebrand from DarkSide, who in turn were believed to be a rebrand of elements of REvil. This trend is another indicator of the professionalisation of the cyber-crime industry, as groups increasingly behave like business entities, paying heed to their brand, reputation and even public relations."

Most recently, a ransomware gang also believed to be a rebrand of a different successful group claimed to have hacked the NRA last week.

Russia-based Grief, believed to be an Evil Corp offshoot, claimed to have stolen files from the firearm association and leaked it on the dark web, threatening to leak more if the ransom wasn't paid.

Evil Corp is currently under sanctions from the US Treasury Department as the group is believed to behind the theft of more than $100 million (£73.3 million) from financial institutions in more than 40 countries.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022