BlackMatter ransomware gang allegedly disbanding due to pressure from authorities

Operators of the ransomware-as-a-service group are claiming that the project is closed and that their entire infrastructure will be turned off.

ransomware.jpg

Image: jijomathaidesigners/Shutterstock

The BlackMatter ransomware group is reportedly closing up shop due to pressure from law enforcement officials. A Wednesday Twitter post from malware researcher VX-Underground broke the news with a screenshot of a statement apparently from BlackMatter operators. Roughly translated from Russian into English, the statement reads as follows:

"Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed.

After 48 hours the entire infrastructure will be turned off, it is allowed to:

Issue mail to companies for further communication

Get decryptors. For this write "give a decryptor" inside the company chat, where they are needed.

We wish you all success, we were glad to work."

SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)

The message is somewhat cryptic, especially with the loose translation. Unclear is exactly what pressure was placed on the group or which authorities are responsible. But Kev Breen, director of Cyber Threat Research for Immersive Labs, cites a few takeaways.

"It does not appear to be a takedown of their servers or infrastructure like we have seen in some recent examples," Breen said. "This means that any existing victims are not likely to get decryption keys handed to them. This is also reinforced by the second half of the message suggesting that those companies or personnel already dealing with active ransoms should continue to do so just by switching their communication method and getting the decryptors now before the infrastructure is shut down."

The reference to the part of the team no longer available could be related to a recent law enforcement operation that led to the arrest of 12 people linked to a host of ransomware attacks around the world, according to Bleeping Computer. However, the promise to turn off the entire infrastructure after 48 hours is murky. That amount of time has already passed since the statement was sent to VX-Underground, and the group's Tor payment site and data leak are still up, Bleeping Computer added.

First noticed this past July, BlackMatter is a Ransomware-as-a-Service group that farms out business to cybercriminal affiliates who in turn stage attacks against organizations, according to the Cybersecurity and Infrastructure Security Agency. A possible rebranding of the infamous DarkSide gang, BlackMatter has targeted several victims in the U.S. with ransom demands ranging from $80,000 to $15 million.

Beyond any pressure exerted by authorities, ransomware gangs and RaaS operators can implode due to technical issues and strained relationships with affiliates.

"At this point it's not clear whether core group members are 'unavailable' because they are in custody or have simply decided the stakes are too high to continue operations," said Jake Williams, co-founder and CTO at BreachQuest. "But the note specifically mentions local law enforcement pressure, and that's a sign that saber rattling appears to be helping."

SEE: Security incident response policy (TechRepublic Premium)

But Williams also pointed to a bug in BlackMatter's ransomware, which cost operators and affiliates millions in ransom payments over the last month. As this incident already hurt the group's relationships with affiliates, it may not have required much pressure from authorities to convince key BlackMatter members to quit.

Does this mean the end of BlackMatter? Even assuming the statement is legitimate, ransomware operators that claim to disband have a habit of resurfacing elsewhere. Such individuals may lie low for a while to avoid the long arm of law enforcement but then pop up again in another criminal enterprise. DarkSide itself seemed to hide for cover after undue publicity following its attack against Colonial Pipeline, only to reportedly rebound as BlackMatter.

"Although BlackMatter's announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter," said Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows.

"1) Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities; 2) Members or affiliates are absorbed into the ransomware-as-a-service programs of other groups; 3) BlackMatter will rebrand into a new program under another name. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools and then re-emerge with a new and improved payload."

Also see

  • Ransomware attackers are now using triple extortion tactics (TechRepublic)
  • SolarWinds attack: Cybersecurity experts share lessons learned and how to protect your business (TechRepublic)
  • How to prevent another Colonial Pipeline ransomware attack (TechRepublic)
  • Cybersecurity technology is not getting better: How can it be fixed? (TechRepublic)  
  • Identity theft protection policy (TechRepublic Premium)
  • Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)  
  • By Lance Whitney

    Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.