The BlackMatter ransomware gang rose to prominence in the criminal underworld this summer after competitors such as DarkSide and REvil fell by the wayside. The upstart group now appears to have suffered the same fate, according to malware researcher VX-Underground.
The group posted a message on its ransomware-as-a-service (RaaS) portal last week indicating it was going out of business due to “pressure from the authorities.” The gang said that within 48 hours (over the weekend) the entire ransomware infrastructure would be disabled, and appeared to give its affiliates a window in which to obtain a decryptor key.
BlackMatter ransomware gang exits the business after a four-month campaign
Operating a service model similar to those of its competitors, the BlackMatter ransomware gang posted the “going out of business” message at its portal for affiliates. The group cited “unsolvable circumstances” as the reason for its dissolution, and alluded to some members of the group being taken in by law enforcement. This could have ties to a Europol operation that took place earlier last week and led to the arrest of 12 people in Ukraine, whom authorities say have ties to “multiple high-profile cases in different jurisdictions”
After the message was posted, the BlackMatter ransomware gang also appeared to offer a decryptor key. This would not appear to be directly intended for use by victims, given that the affiliate portal is on a hard-to-reach dark web site meant only for the eyes of participating criminals. The move was more likely a means to ensure that affiliates still in the midst of the extortion process had a method of universal decryption available once the infrastructure was taken offline.
The pressure from authorities that the BlackMatter ransomware gang cited for its dissolution was made public last month. A joint message from the FBI, CIA and NSA addressed the group’s recent activities and advised that it was now a high priority for US law enforcement given that 52% of its known victims were located in the country. The agencies published a brief dossier of the group’s known techniques and indicated that it might be a reformation of the DarkSide ransomware group that was tied to the Colonial Pipeline attack. The group had claimed that it would not attack critical infrastructure, but it apparently had a flexible definition of that term given that it was observed targeting multiple food supply and distribution organizations.
The BlackMatter ransomware gang caught the attention of authorities by being very active since it first popped up on the radar in July, with its most high-profile target being Japanese tech firm Olympus. But the group also appeared to be focusing on targets in the US, the largest of which was farm services provider Iowa New Cooperative. The company reportedly paid a ransom of $5.9 million to unlock their systems. US authorities warned that BlackMatter was believed to be targeting other businesses in farming and critical infrastructure just prior to the group’s retreat from the internet. With its prior targets, BlackMatter had been demanding ransoms ranging from $80,000 to $30 million. In total it is believed to have hit at least 50 businesses around the world.
Jake Williams, Co-Founder and CTO at BreachQuest, believes that there is more than just increased law enforcement attention at play in seemingly shortening the life span of these threat actors: “It’s clear that ransomware operators are feeling the pressure of decreased payment rates, owed largely to better backups and other preparation by victims … Of course even after payment, there’s little incentive for the operators to delete data. With groups rebranding so often, the reputation damage from leaking data after a group “shuts down” would be minimal … The note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping. But we shouldn’t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month. This was already hurting relationships with affiliates. It’s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.”
Ransom payments intercepted, but another rebrand may be coming
New Zealand’s Emsisoft, a leading cybersecurity firm, has been assisting victims of the BlackMatter ransomware gang in recent months. The group found a flaw in the gang’s encryption process that allowed it to recover files without a decryption key, and it has also been active in notifying global law enforcement agencies.
With the release of the decryption key to affiliates, Emsisoft believes that this is probably the end of the BlackMatter brand. However, the firm does not believe the hackers will retire. The BlackMatter ransomware gang may well have contained members of the former DarkSide team, which shut down in June just a little more than a month before the first BlackMatter attacks began. If high-level ransomware operators are not caught by law enforcement, they are extremely likely to just take a short break and then come back under a different name in a bid to throw off pursuers.
These operators sometimes evolve their tactics with each new incarnation. The BlackMatter ransomware gang’s malware was similar to that of DarkSide in the manner in which it targeted both Windows and Linux systems, but it added a custom data exfiltration tool allowing it to steal files from a victim more quickly prior to locking systems out. DarkSide was in turn one of the first groups to implement the “ransomware-as-a-service” model and to present a public relations presence to tech and security journalists, and it was also an early adopter of the “double extortion” trend of stealing sensitive files and threatening to “dox” victims that refused to pay.
Though decryption keys were made available to BlackMatter affiliates, security researchers say that victims should not expect them to be made available to the general public as previously happened when REvil and several other ransomware gangs dissolved. BlackMatter is apparently redirecting affiliates to the LockBit ransomware site as an alternate means of communicating with victims after its own infrastructure goes dark. While new attacks are likely to cease at this point, victims that have already been compromised may need to continue negotiations with the affiliate that attacked them.
Kev Breen, Director of Cyber Threat Research at Immersive Labs, provides some expert insight on key takeaways from what is known of the group’s breakup: “It does not appear to be a takedown of their servers or infrastructure like we have seen in some recent examples … For the higher-tier members of the group, including the malware authors that develop the infrastructure and the ransomware malware, I would expect one of two things: either they will lay low and resurface in the future with a modified version and some new infrastructure and start recruiting affiliates again or, depending on how much pressure they are facing, they may choose to sell the source code and any stash of data to the highest bidder before taking a longer break.”