BlackMatter ransomware gang allegedly shutting down after legal pressure
A member of the BlackMatter ransomware gang claims that the group is shutting down after increased pressure from authorities.
The group was founded earlier this year and is a successor to the DarkSide ransomware gang that shut down in May. DarkSide was best known for its ransomware attack on Colonial Pipeline Co. and donating part of their ill-gotten gains to charity.
“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) — project is closed,” someone representing the group wrote on a Russian hacking forum. “After 48 hours, the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write ‘give a decryptor’ inside the company chat, where necessary. We wish you all success, we were glad to work.”
What “the latest news” means was not explained. The Register reported today that the news could be related to police forces in Ukraine and Switzerland arresting 12 ransomware suspects earlier this week. Members of BlackMatter may have been detained in the raids.
And it is possible that law enforcement may have forced the group’s hand. Infamous ransomware group Revil announced it was shutting down in October after being hacked with it later coming to light that a multicountry law enforcement operation had hacked them.
That said, many are rightly skeptical given that BlackMatter is DarkSide rebranded.
“The announcement from BlackMatter that they are shutting down operations due to pressure from authorities should be met with skepticism, at best,” Mark Carrigan, cyber vice president, process safety and OT cybersecurity at Hexagon PPM, told SiliconANGLE. “This would not be the first time that they, and others, have made such an announcement only to resurface at a later date.”
Peter Mackenzie, director of incident response at Sophos plc, agreed, noting that BlackMatter is simply DarkSide rebranded following the Colonial Pipeline attack. “While the name was different, the core ransomware code was not, and it had the same weaknesses that allowed free decrypters to be produced,” MacKenzie explained. “In October, a security company announced they had a decrypter for BlackMatter and had been secretly helping victims. Taking these factors into account, it is likely this is yet another ransomware group pretending to shut down when in reality it is just a rebrand and launch of a new improved version sometime soon in the future.”
Photo: NASA Universe/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.