The BlackMatter ransomware operation, which came to prominence earlier this year following the demise of the DarkSide ransomware gang, is allegedly shutting down due to “pressure from the authorities."
The group announced plans to shut down in a message posted on its ransomware-as-a-service (RaaS) portal, where other criminal groups typically register in order to get access to the BlackMatter ransomware strain. The message, obtained by a member of the vx-underground infosec group, translates to: "Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed.
“After 48 hours the entire infrastructure will be turned off, allowing — Issue mail to companies for further communication; Get decryptor. For this write 'give a decryptor' inside the company chat, where necessary. We wish you all success, we were glad to work.”
It’s unclear what “latest news” is referring to, although the message follows a recent New York Times report that announced that the U.S. and Russia had started collaborating more closely to crack down on cybercriminal organizations based in Russia. It also comes after CISA, the FBI and the NSA published an advisory warning that the BlackMatter ransomware group has targeted “multiple” organizations considered critical infrastructure, including two organizations in the U.S. food and agriculture sector. The advisory provided information on tactics, techniques and procedures (TTPs) associated with the ransomware gang.
There’s also a chance that BlackMatter’s missing team members could be linked to a recent international law enforcement operation that detained 12 individuals linked to 1,800 ransomware attacks in 71 countries.
The BlackMatter group first emerged in July this year and is believed to be responsible for numerous attacks against U.S. companies, including the recent attack on NEW Cooperative, an Iowa-based farm service provider that was hit with a $5.9 million ransom demand to unlock their systems. BlackMatter also hit Japanese technology giant Olympus in September, forcing the shutdown of the company’s European, Middle East and Africa network.
BlackMatter ransom demands have ranged from $80,000 to $15 million in cryptocurrency, according to the recent advisory from U.S. law enforcement agencies. However, New Zealand-based cybersecurity company Emsisoft claims to have prevented “tens of millions of dollars” in ransom payments from reaching the BlackMatter group. After uncovering a flaw in the group’s encryption process, it was able to quietly help BlackMatter ransomware victims recover encrypted files without having to pay the ransom.
At the time, Emsisoft threat analyst Brett Callow said this decryption campaign could be BlackMatter’s demise. Now, however, he's not so sure.
"It’s impossible to say whether this will be a permanent exit or simply another rebrand," Callow told TechCrunch. "Let’s hope it’s the former."