The message goes on to say, “After 48 hours, the entire infrastructure will be turned off, it is allowed to: – Issue mail to companies for further communication. – Get decryptors, for this write “give a decryptor” inside the company chat where they are needed. We wish you all success, we were glad to work.” A screenshot of the original message and the English translation was posted on Twitter by cyber security group vx-underground.
The Cause of the Shutdown
The announcement of the shutdown comes after two recent moves by US government agencies and a recent high profile Europol arrest of 12 suspected ransomware criminals In September, the United States Department of Treasury released a statement outlining the recent advancements in the US Government’s counter-ransomware strategy. The advancements included a more proactive approach by disrupting criminal networks and virtual currency exchanges used for laundering ransoms. Then, in October, a joint advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). The advisory provided “information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting.” Finally, last week, Europol arrested 12 “high-value targets” for allegedly “wreaking havoc across the world with ransomware attacks against critical infrastructure,” per the agency press release. The individuals are accused of executing ransomware cybercrime across 17 countries in Ukraine and Switzerland.
Who is BlackMatter and Will They Return?
The threat from BlackMatter might be less for now, but that doesn’t mean they are completely gone and will never return. The group’s affiliates are still active, as alluded to in the group’s message. Additionally, if the history of the group is any indication of their staying power, BlackMatter’s members will be back at some point, even if by another name. BlackMatter itself is said to be the successor of the Darkside and REvil ransomware groups and was originally identified in July 2021, when the gang set up a network of affiliates using ads posted on two cybercrime forums. Now with the impending shutdown of the group, it begs the question: who will be the next ransomware-as-a-service group to take their place?