The prolific ransomware group that rose from the ashes of DarkSide appears to be going dark—again. BlackMatter said it will shut down due to increased pressure from authorities, according to a message posted on its website.
VX-Underground, which aggregates a collection of malware source code, samples and assorted resources, posted a screenshot of the Russian-language message, on its Twitter feed. It also posted an English translation.
“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed,” the message said.
BlackMatter, which operates as a ransomware as a service (RaaS) operation, will still allow its infrastructure to issue mail to companies for further communication as well as permit its affiliates to get a decryptor for its ransomware, according to the message.
“For this write ‘give a decryptor’ inside the company chat, where necessary,” the message read. “We wish you all success, we were glad to work.”
VX-Underground told BleepingComputer that the message was sent to the organization directly from BlackMatter, according to a published report.
Arrests Spur Shutdown?
The group didn’t mention what the “latest news” that inspired it to close its doors. However, the culprit could be Europol’s apprehension last week of 12 individuals allegedly responsible for “wreaking havoc across the world with ransomware attacks against critical infrastructure,” according to an agency press release.
The EU’s top law-enforcement agency arrested the so-called “high-value targets” for ransomware cybercrime perpetrated across 17 countries in Ukraine and Switzerland on Oct. 26, Europol said in the release.
The individuals were not named and were said to have different roles in their respective criminal organizations, according to Interpol. Therefore, it’s unclear if the member of the BlackMatter team who “is no longer available” is one of those who was apprehended.
However, the shutdown of BlackMatter’s predecessor DarkSide ransomware—perhaps most infamous for its disruptive attack on Colonial Pipeline—also occurred after a raid by authorities. Experts believe the two events are be connected.
Key Ransomware Threat Retired—For Now
BlackMatter emerged in July shortly after and made its presence on the ransomware scene known in just a short time. In September alone the group struck three times, targeting Japanese tech giant Olympus and two agricultural cooperatives in the United States—Iowa-based farmers feed and grain cooperative NEW Cooperative and Minnesota-based supply and grain marketing cooperative Crystal Valley.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI and the National Security Agency (NSA) officially warned only a few weeks ago that BlackMatter was poised to spring its ransomware on even more victims, advising businesses to shore up their security defenses and monitor networks carefully for any unusual activity.
That threat of activity appears to be dimmer for now, although BlackMatter’s affiliates can still carry out its nefarious activity given that they can still receive its decryptor by staying in contact with the gang.
Moreover, if history is any indication, BlackMatter’s remaining crew will likely regroup and restart its ransomware activity again under a new identity in the future. Other ransomware gangs that shut down in the past also eventually reemerged under a different name, including Maze, which resurfaced as Egregor; and Bitpaymer, which morphed into DoppelPaymer and now operates as Grief, which recently reportedly targeted the National Rifle Association.
