The BlackMatter ransomware group is allegedly shutting down its operation due to pressure from law enforcement agencies. The gang runs a ransomware-as-a-service (RaaS) website. A screenshot sent to a security research group revealed a message allegedly posted by the gang. The message reportedly warns affiliates that the ransomware operation was shutting down in 48 hours, BleepingComputer reported.
A ransomware-as-a-service (RaaS) product uses affiliates. The affiliates subscribe to the product which gives them tools to execute attacks. They earn a percentage of each successful ransom payment. The developers even develop high-end tools like a dashboard to display the real-time status of the attack.
Further, just like any other software, developers also open support tickes, issue new ransomware builds, and communicate with affiliates.
Here’s the dashboard for BlackMatter, with the news announcing the shut down.
The announcement roughly translates to English as the following:
“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – project is closed. After 48 hours the entire infrastructure will be turned off, allowing:
* Issue mail to companies for further communication
* Get decryptor. For this write “give a decryptor” inside the company chat, where necessary.
We wish you all success, we were glad to work.”
Latest News & the Pressure from Authorities
Law enforcement agencies, especially those from the U.S. are going after ransomware gangs. Although it is unclear as to what is the ‘latest news’, unavailability of BlackMatter team members could be related to Europol’s apprehension of 12 people responsible for ransomware attacks on critical infrastructure.
The agency said it had arrested “high-value targets”, responsible for cybercrimes across 17 countries, in Ukraine and Switzerland. The news comes only a few days after a multi-country action forced the REvil ransomware group to go offline.
Interestingly, BlackMatter itself emerged in July 2021, after DarkSide and Revil (initially) shut their operations. It was a ‘rebrand’ of DarkSide, that infamously attacked the Colonial Pipeline and made $90 million in ransoms in just nine months. However, the operators behind BlackMatter claim that they are closely acquainted with DarkSide operators, but they are not the same people.
Threat of Arrest Changing Behavior
Ransomware operators are knows for notorious rebrands. They regroup and reappear, sometimes under a new name. Other ransomware gangs that shut down in the past also eventually reemerged under a different name, including Maze, which resurfaced as Egregor; and Bitpaymer, which morphed into DoppelPaymer and now operates as Grief
However, with the key threat actors- REvil, DarkSide, and Blackmatter gone from the RaaS scene, the threat appears to be low for now.
Speaking to the Washington Post, cyber expert and Executive Chairman of of Silverado Policy Accelarator, said:
“The latest voluntary disappearance of REvil highlights the powerful psychological impact of having these villains believe that they are being hunted and that their identities will be revealed.”