Oh BlackMatter, we hardly knew ye. The criminal ransomware gang that first appeared in July 2021 has apparently ceased operations as of November 2021. In that short lifespan, however, it still managed to wreak significant havoc with its attacks.
Vx-underground, which tracks ransomware, Tweeted out part of an alleged statement from BlackMatter. The original message is in Russian, and the English translation says “Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed.” It goes on to say that within 48 hours, the infrastructure supporting the gang will be “turned off.”
That “pressure from authorities” could be anything, but speculation is swirling in media accounts that one or more BlackMatter criminals have been arrested. In late October, for instance, Europol announced that it had “targeted” 12 individuals involved in ransomware attacks against “critical infrastructure.” The undertaking was a cooperative effort involving eight countries, the release stated, and it listed 1,800 victims across 71 countries:
“The actions took place in the early hours of 26 October in Ukraine and Switzerland. Most of these suspects are considered high-value targets because they are being investigated in multiple high-profile cases in different jurisdictions.”
Some of those “high-profile cases” include attacks against the EMEA IT systems of Japanese tech giant Olympus, along with two U.S.-based agricultural cooperatives—Iowa-based farmers cooperative NEW Cooperative and Minnesota-based cooperative Crystal Valley.
In this case, the damage caused by BlackMatter may have been mitigated by the actions of Emsisoft. The company reported that its researchers had found a critical flaw in the ransomware that enabled victims of the attack to recover their files. “The work has been conducted quietly and privately so as not to alert the BlackMatter operators to the flaw,” Emsisoft said.
Hunting the Hunters
Ransomware groups appear to be scurrying for cover more and more, as governments are turning up the heat in an effort to burn them out. Last month, for instance, the notorious group REvil, responsible for the Colonial Pipeline attack, was itself hacked and taken offline.
It should be noted, however, that just because a group has disbanded, that doesn’t mean its members have given up their criminal activities. In the ransomware world, it’s common for these gangs to re-form under another banner. So even though BlackMatter is likely gone for good, the ransomware-as-a-service model that has been incredibly profitable for these organizations will continue on with very little interruption.
(Editor’s Note: to help protect your organization, ActualTech Media has published the definitive guide to ransomware. Get it here.)