BlackMatter ransomware

The BlackMatter ransomware is allegedly shutting down its operation due to pressure from the authorities and recent law enforcement operations.

BlackMatter operates a private ransomware-as-a-service (RaaS) website that affiliates can use to communicate with the core operators, open support tickets, and receive new ransomware builds.

Today, security research group VX-Underground was sent a screenshot of a message allegedly posted by the BlackMatter operators on November 1st on the RaaS website. This post warns affiliates that the ransomware operation was shutting down in 48 hours.

BlackMatter announcing their shut down in affiliate site
BlackMatter announcing their shut down in affiliate site

This post roughly translates to English as the following:

"Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) - project is closed.

After 48 hours the entire infrastructure will be turned off, allowing:

 * Issue mail to companies for further communication
 * Get decryptor. For this write "give a decryptor" inside the company chat, where necessary.
 
We wish you all success, we were glad to work."

It is unclear what "latest news" is referring to, but the missing team members could be related to a recent international law enforcement operation arresting twelve individuals linked to 1,800 ransomware attacks in 71 countries.

In July, the REvil public-facing representative known as 'Unknown' also went missing, leading to the shutting down of REvil.

If this post is legitimate and BlackMatter is shutting down its operation, it does not mean that the threat actors will no longer extort existing victims.

Based on the post, the RaaS site will allow affiliates to receive decryptors for existing victims so that they can continue extorting victims on their own.

BleepingComputer has not confirmed the validity of the post, but VX-Underground told BleepingComputer that a BlackMatter affiliate sent them the image.

Whether BlackMatter is shutting down remains to be seen, as it has been more than 48 hours since the warning was issued to affiliates, and the group's Tor payment site and data leak remain operational.

Since this post originally published, the BlackMatter gang has been busy cleaning up traces of their activity online, including withdrawing deposited Bitcoins on hacker forums, deleting forum posts, and deactivating their accounts.

BlackMatter deleting posts on hacking forums
BlackMatter deleting posts on hacking forums
Source: pancak3lullz

BleepingComputer also discovered that the BlackMatter, or its affiliates, have partnered with the competing LockBit ransomware operation to move victim's to LockBit's negotiation site for continued extortion.

BlackMatter affiliate transfering victim to LockBit site
BlackMatter affiliate transfering victim to LockBit site
Source: BleepingComputer

Likely to rebrand as a new ransomware 

However, even if BlackMatter shuts down its operation, we will likely see them return as a different group in the future.

When ransomware gangs feel pressure from law enforcement or target a highly sensitive organization, it is common that they shut down their operation and relaunch under a new name.

BlackMatter is already a rebrand of the DarkSide operation, which shut down after attacking the Colonial Pipeline and feeling the full pressure of international law enforcement.

Other ransomware operations that have rebranded in the past include:

It is only a matter of time until the operators of BlackMatter relaunch under a different name.

Update 11/5/21: Added information about current shut down activities.

Related Articles:

Patelco shuts down banking systems following ransomware attack

Affirm says cardholders impacted by Evolve Bank data breach

Prudential Financial now says 2.5 million impacted by data breach

CDK Global says all dealers will be back online by Thursday

Meet Brain Cipher — The new ransomware behind Indonesia's data center attack