Blackmatter Ransomware Group Shuts Down

BlackMatter Ransomware Operation Announces Shutdown

The BlackMatter ransomware operation, gaining notoriety earlier this year after the DarkSide ransomware group ceased operations, is reportedly ceasing activity due to escalating “pressure from law enforcement.”

RaaS Portal Announcement

The group communicated its intention to shut down via a message posted on its ransomware-as-a-service (RaaS) portal. This platform is typically used by other malicious actors to gain access to the BlackMatter ransomware strain.

According to a translation obtained by vx-underground, an infosec collective, the message stated: “Due to circumstances that cannot be resolved, linked to pressure from authorities (a portion of the team is unavailable following recent developments), the project is closed.”

Infrastructure Shutdown and Decryption

The announcement detailed a 48-hour timeframe for complete infrastructure shutdown. Following this, the group indicated it would facilitate communication with affected companies and provide decryption tools.

Specifically, the message instructed those needing a decryptor to request it by writing ‘give a decryptor’ within the company’s designated communication channel.

Possible Contributing Factors

The “latest news” referenced in the message remains unclear. However, it coincides with a recent report from the New York Times detailing increased collaboration between the U.S. and Russia to combat cybercriminal organizations operating within Russia.

This announcement also follows a joint advisory issued by CISA, the FBI, and the NSA. This advisory warned that the BlackMatter ransomware group had targeted organizations critical to national infrastructure, including entities within the U.S. food and agriculture sectors.

The advisory provided detailed information regarding the group’s tactics, techniques, and procedures (TTPs).

Potential Link to Law Enforcement Actions

It is plausible that the missing team members mentioned in the announcement are connected to a recent international law enforcement operation.

This operation resulted in the detention of 12 individuals implicated in approximately 1,800 ransomware attacks across 71 countries.

BlackMatter’s History and Impact

The BlackMatter group first surfaced in July of this year and is believed to be responsible for a significant number of attacks against U.S. businesses.

Notable incidents include the attack on NEW Cooperative, an Iowa-based farm service provider, which faced a ransom demand of $5.9 million. Additionally, Japanese technology firm Olympus was targeted in September, leading to a network shutdown across Europe, the Middle East, and Africa.

Ransom Demands and Decryption Efforts

Ransom demands from BlackMatter have varied considerably, ranging from $80,000 to $15 million, typically requested in cryptocurrency.

However, Emsisoft, a New Zealand-based cybersecurity firm, asserts it has prevented “tens of millions of dollars” in ransom payments from reaching the group.

By identifying a vulnerability in the group’s encryption process, Emsisoft was able to discreetly assist BlackMatter ransomware victims in recovering their encrypted files without payment.

Uncertain Future

Initially, Emsisoft threat analyst Brett Callow suggested that this decryption campaign could signal the end for BlackMatter.

However, Callow has since expressed uncertainty, stating to TechCrunch: “It’s impossible to determine if this represents a permanent exit or merely another rebrand.”

He concluded with a hopeful sentiment: “Let’s hope it’s the former.”