The BlackMatter ransomware group, which has targeted critical infrastructure entities in the United States and elsewhere, has decided to cease operations, saying that some of its members are “no longer available”.
The apparent shutdown by BlackMatter comes with plenty of questions, chief among them being whether it’s real. Other ransomware groups have announced similar moves, only to reemerge a few weeks or months later, sometimes under a different name. Some security researchers have theorized that BlackMatter is itself a partial reincarnation of the DarkSide group, best known for its audacious and ill-conceived attack on the Colonial Pipeline in May. In a message posted on an underground forum this week, BlackMatter operators said, “Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) - the project is closed.”
The post said the BalckMatter infrastructure would be taken down after 48 hours and decryptor keys would be offered to victims of existing intrusions.
“The cynic in me believes this is just a temporary hiatus, and once again we will see a rebrand or resurrection of BlackMatter -- whether it is under the same name, or a different brand name, this very well may not be the end of this group,” said John Hammond of Huntress, who has tracked ransomware groups.
“Since the group's inception, there has been a lurking consensus that BlackMatter has been a revival of the DarkSide ransomware gang, infamous for their attack on Colonial Pipeline. Ultimately, this is just one ransomware group in a sea of cybercriminals. Even if BlackMatter were to close up shop, other actors craving the lucrative payout from ransomware will step right up to the plate.”
The shutdown follows a number of moves by authorities in the United States and Europe to put pressure on ransomware operators in various ways. In October, the Department of Justice announced the formation of a new Cryptocurrency Enforcement Team that is tasked with tracing cryptocurrency transactions associated with ransomware operations and disrupting that economy using legal tools. The Biden administration has also formed a ransomware task force to address the problem from a policy and technical perspective, and last week authorities from several countries arrested 12 people in Ukraine and Switzerland as part of a crackdown on a ransomware group that has targeted critical infrastructure.
"Even if BlackMatter were to close up shop, other actors craving the lucrative payout from ransomware will step right up to the plate.”
The U.S. also has applied political pressure, specifically in Russia. In July, President Joe Biden had a phone call with Russian President Vladimir Putin in which he emphasized that the U.S. would take whatever actions needed to disrupt the ransomware economy, much of which is centered in Russia.
“President Biden also spoke with President Putin about the ongoing ransomware attacks by criminals based in Russia that have impacted the United States and other countries around the world. President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia and emphasized that he is committed to continued engagement on the broader threat posed by ransomware,” a readout of the call from the White House says.
Because many of the ransomware groups are based in Russia or other countries not prone to allowing U.S. law enforcement to operate on their soil or to extradite their citizens, direct legal action against those groups has proven difficult. But the political and policy pressures seem to be having an effect, as do some offensive operations by western governments against ransomware operators’ infrastructure.
“Pressure from U.S. law enforcement has to have some impact on ransomware operations, no matter how big or small. In interviews with ransomware gangs (like REvil as a prime example), they often chest-thump and boast, ‘laws or regulations don't scare us, they only make us work harder and faster’,” Hammond said.
“But I sincerely believe there has to be a looming fear that they will be caught and reprimanded. The recent arrests and takedowns speak for themselves. While the cybercriminals charge and challenge political pressure, US law enforcement continues to prove its power.”