BlackMatter ransomware gang is shutting down due to pressure from law enforcement

The BlackMatter ransomware gang announced it is going to shut down its operation due to pressure from law enforcement.

The BlackMatter ransomware group has announced it is shutting down its operation due to the pressure from local authorities.

The announcement was published on the Ransomware-as-a-Service portal operated by the group used by the network of affiliates of the gang.

Cyber security group vx-underground published an image of the message and its translated version in English which states:

“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

-Issue mail to companies for further communication.
-Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.

We wish you all success, we were glad to work. “

The news of the shutdown comes after two major events that have taken place over the past two weeks.

The decision of the gang comes after the recent announcement of closer collaboration of US and Russian authorities in curbing cybercriminal organizations based in Russia, such as the FIN7 cybercrime gang.

In October, The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations. The advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.

The BlackMatter group launched its operations the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.

The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.

The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.

BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform. 

BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

Recently, an international operation conducted by law enforcement from several states allowed to shut down and seize the attack infrastructure used by the REVIL ransomware group.

Last week, a joint operation conducted by Europol, the Norwegian Police, and other authorities led to the arrest of 12 individuals over ransomware attacks on organizations worldwide, including critical infrastructure operators.

The suspects were involved in more than 1,800 ransomware attacks against victims across 71 countries, the threat actors focused on large corporations.

The list of victims of the group also includes Norwegian giant Norsk Hydr that was hit in 2019. In just one week after the ransomware attack, the company declared it had more than $40 million in losses.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BlackMatter)

[adrotate banner=”5″]

[adrotate banner=”13″]