Bowing to pressure from authorities and recent law enforcement operations, the BlackMatter ransomware is apparently shutting down its activities.
Affiliates can connect with the core operators, create support issues, and get new ransomware builds using BlackMatter’s private ransomware-as-a-service (RaaS) website.
VX-Underground, a security research group, received a snapshot of a statement reportedly uploaded by the BlackMatter operators on the RaaS website on November 1st. Affiliates are informed via this article that the ransomware operation will be shut down in 48 hours.
It’s unclear what “latest news” means. Still, the missing team members might be tied to a recent worldwide law enforcement operation that resulted in the arrest of twelve people linked to 1,800 ransomware operations across 71 nations.
In July, the REvil public-facing representative known as ‘Unknown’ also went missing, resulting in the group’s closure. If this report is accurate and BlackMatter is shutting down, it does not indicate that threat actors will stop extorting existing victims.
According to the statement, affiliates will get decryptors for existing victims, allowing them to continue scamming victims independently.
It’s unclear whether BlackMatter is closing down; it’s been more than 48 hours after the affiliates were notified, and the group’s Tor payment site and data breach are still functioning.
Even if BlackMatter ceases operations, we may expect them to resurface as a new entity in the future. When ransomware gangs face law enforcement pressure or target a highly sensitive company, they frequently shut down their operations and resurface under a new identity.
BlackMatter is a rebrand of the DarkSide operation, which was shut down after threatening the Colonial Pipeline and under international law enforcement pressure.