BlackMatter ransomware to shut down, affiliates transferring victims to LockBit

The group posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are "no longer available" after "the latest news."

In messages obtained by a member of the vx-underground group, the prolific BlackMatter ransomware group has said it is closing shop due to increased law enforcement pressure. 

The group -- hawking a rebranded version of the DarkSide ransomware used to attack Colonial Pipeline earlier this year -- posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are "no longer available" after "the latest news."

"Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) -- project is closed," the group wrote. 

"After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write 'give a decryptor' inside the company chat, where necessary. We wish you all success, we were glad to work." 

While the group did not explain what they meant by "the latest news," there are a variety of stories tied to the ransomware gang's activities over the last two months. 

After closing shop to due law enforcement scrutiny following the attack on Colonial Pipeline in May, the group re-emerged in July under the "BlackMatter" banner. They attacked dozens of companies and CISA identified the group as the perpetrators of multiple attacks on agriculture companies ahead of harvests. 

Last week, Emsisoft CEO Fabian Wosar revealed that his company discovered a flaw in the BlackMatter ransomware allowing them to help victims recover all of their files. The group eventually figured it out and released an updated version of their malware, but Wosar hinted that they were working with law enforcement agencies and others to help victims. 

On Wednesday, the Washington Post reported that US Cyber Command and a foreign government were responsible for the disruption of the REvil ransomware group. Chats from REvil actors were seen by the newspaper and indicate the group's leaders were spooked once they realized law enforcement entities were in their system, shutting down operations for the second time this year. 

Officers from Europol also arrested the Ukrainian group behind the MegaCortex, Dharma and LockerGoga ransomwares. The twelve people arrested allegedly perpetrated more than 1,800 ransomware attacks on critical infrastructure and large organisations around the world.

The immense amount of pressure now facing ransomware groups was noted by General Paul Nakasone, head of US Cyber Command. 

"I'm pleased with the progress we've made," he said, "and we've got a lot more to do," he said during a speech at the Aspen Security Forum on Wednesday. 

Bleeping Computer reported on Wednesday afternoon that BlackMatter operators have already begun moving victims over to the LockBit ransomware site so that they can continue negotiating ransoms. The group is also pulling cryptocurrency out of the Exploit hacking forum and deactivating accounts, according to Bleeping Computer. 

Most experts were quick to note that ransomware groups have now made it a standard practice to close shop and reorganize under a new name. Multiple ransomware groups have done it, some multiple times, as soon as law enforcement pressure gets to be too much to handle. 

Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows, said DarkSide, Avaddon and Egregor are just some examples of groups that folded their operations following the after-effects of a prominent attack. 

"Although BlackMatter's announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter: Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities and Member or affiliates are absorbed into the ransomware-as-a-service programs of other groups," Yin Peh said. 

"Or, BlackMatter will rebrand into a new program under another name. Given how highly lucrative ransomware operations are, it is unlikely that those behind BlackMatter will cease operations entirely. An eventual rebranding seems more probable, but how soon this will happen remains to be seen. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools, and then re-emerge with a new and improved payload."

Picus Security's Dr. Süleyman Özarslan noted that ransomware gangs typically rebrand in 6-month cycles.

Other experts, like BreachQuest CTO Jake Williams, said better backups and other preparation by victims were decreasing ransom payment rates in some instances, forcing ransomware groups to increasingly rely on double extortion methods to regain leverage. 

"The creation of the data exfiltration tool shows that groups are not only worried about standardizing their encryption operations, but also their extortion operations. The mere existence of the tool shows how important the double extortion process has become for operators," Williams said. 

"At this point it's not clear whether core group members are 'unavailable' because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that's a sign that saber rattling appears to be helping. But we shouldn't forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month. This was already hurting relationships with affiliates. It's not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats."