Getty Images/iStockphoto

BlackMatter claims to shut down ransomware operations

Operators behind the ransomware, known to target critical infrastructure, attributed the shutdown to pressure from authorities and the disappearance of team members.

Increased law enforcement action has apparently deterred another ransomware gang.

Operators behind BlackMatter ransomware took to the group's private website, which is used for communications with members and affiliates, to announce activity would cease in 48 hours. In a screenshot shared by security research group VX-Underground, it appears the alert was posted to the ransomware-as-a-service site on Monday.

Less than one month ago, a joint U.S. advisory warned that the Russian-linked ransomware group was targeting critical infrastructure. BlackMatter may also be connected to REvil ransomware operators, known for the significant supply chain attack against Kaseya.

VX-Underground shared the screenshot on Twitter Wednesday and translated the message, which claimed members of the BlackMatter ransomware group "are no longer available." The message also addressed remaining victims.

"Due to certain unsolvable circumstances associated with pressure from authorities (part of the team is no longer available, after the latest news) - the project is closed. After 48 hours, the entire infrastructure will be turned off. It is allowed to: issue mail to companies for further communication. Get decryptors, for this write 'give a decryptor' inside the company chat where they are needed. We wish you all success, we were glad to work," the screenshot on Twitter read.

Last month, Emsisoft revealed how it developed a decryptor for BlackMatter victims that allowed the recovery of data without paying a ransom. While the critical flaw in BlackMatter that enabled the tool was discovered earlier this year, Emsisoft worked privately with victims as not to alert the ransomware gang. However, operators found and updated the bug several weeks ago.

Regarding BlackMatter's recent claims to shut down operations, Emsisoft threat analyst Brett Callow said absolutely nothing that ransomware operators say should be believed.

"This could be an exit scam after which they'll again rebrand, or it could be due to affiliates switching to RaaS they consider to be safer bets, or it could be due to the Russian government exerting some pressure," Callow said in an email to SearchSecurity.

Dmitri Alperovitch, former CTO of CrowdStrike and chairman of government think tank Silverado Policy Accelerator, shared additional possibilities on Twitter. While it is not a clear-cut result of law enforcement pressure, he said "groups are clearly spooked by unexplained disappearing of members" which he said "happened in July with REvil as well."

Alperovitch referenced a Washington Post report Wednesday which said the REvil gang shut down operations last month after U.S. Cyber Command and a foreign government hacked the servers of the operation. While the hack occurred this summer, REvil operators discovered it was compromised just last month. Though it was not reported as a takedown, Washington Post reporters Ellen Nakashima and Dalton Bennett said it "deprived the criminals of the platform they used to extort their victims." 

Alperovitch also addressed the psychological impact disappearances could have on all groups, not only those impacted. He referred to the impact as "very powerful."

"People could be disappearing due to quiet pressure from authorities (no arrests are being announced though). But they could also just be deciding on their own to cash in their chips and avoid the heat. At least for now," Alperovitch said on Twitter.

That heat includes the arrest of two suspected members of an unnamed ransomware gang in Ukraine last month. The coordinated operation involved the French National Gendarmerie, the Ukrainian National Police, the FBI, Europol and Interpol and resulted in the seizure of $375,000 in cash and the asset freezing of $1.3 million in cryptocurrencies.

Europol was involved in another coordinated international law enforcement operation, which was announced last week, that "targeted" 12 alleged ransomware actors. While the suspects' names, ransomware affiliation and arrest status remain unclear, they are accused of involvement in attacks against critical infrastructure and large enterprises.

The long-lasting impact the BlackMatter shutdown will have remains unknown, but Alperovitch said "for now, let's celebrate at least a few of these small victories." Callow still questions the groups' motives but agreed this is a step forward.

"Whatever the case, this is a win and signifies that ransomware operators are increasingly feeling the heat."

Dig Deeper on Threats and vulnerabilities