DarkSide’s alter ego BlackMatter shuts shop following law enforcement ops

The distributors of the BlackMatter ransomware have announced plans to shut down operations due to immense pressure from the authorities and recent law enforcement operations.

The BlackMatter ransomware group first raised its head soon after the DarkSide ransomware gang was forced to shut shop in May this year. The demise of DarkSide occurred not long after the group extracted $5 million as ransom payment from US pipeline giant Colonial Pipeline. The gang said it was shutting shop as its servers and cryptocurrency accounts were allegedly seized “at the request of law enforcement agencies.”

A couple of months later, security researchers began observing malicious activities being carried out by a new ransomware gang that called itself BlackMatter. It, however, didn’t take them too long to conclude that BlackMatter was, in fact, the DarkSide gang operating under a new name.

“This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide, despite also saying they are a new group of developers. We have serious doubts about this last statement as analysis shows the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack,” said the McAfee Enterprise Advanced Threat Research (ATR) in a blog post.

As per a joint alert issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA, BlackMatter is a ransomware-as-a-service (Raas) tool that allows the ransomware’s developers to profit from cybercriminal affiliates (i.e., BlackMatter actors) who deploy it against victims. 

“BlackMatter is a possible rebrand of DarkSide, a RaaS which was active from September 2020 through May 2021. BlackMatter actors have attacked numerous U.S.-based organisations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero,” the alert read. The hacker group’s list of victims includes several US-based critical infrastructure entities, including two U.S. Food and Agriculture Sector organisations.

It now appears that the BlackMatter ransomware gang is facing the same fate as that of its predecessor. On 1st November, a tweet with a screenshot of the message was posted by security research group vx-underground on its Ransomware-as-a-Service (RaaS) portal, warning affiliates that the group will shut its operations within 48 hours.

Here’s a translation of the post which was written in Russian:

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

-Issue mail to companies for further communication.

-Get decryptors, for this write “give a decryptor” inside the company chat where they are needed.

We wish you all success, we were glad to work.

The statement clearly indicates that the circumstances of BlackMatter’s shutdown are very similar to the chain of events that led to the demise of DarkSide in May this year. Recently, a multi-national law enforcement operation led to the arrest of twelve cybercriminals in Ukraine and Switzerland. The operation targeted the perpetrators of ransomware attacks targeting critical infrastructure and large organizations worldwide.

George Papamargaritis, MSS Director, Obrela Security Industries, says that “the message from BlackMatter is very vague, so it is not clear if this is linked to the recent cybercriminal arrests by Europol or has been spurred by something else. If it turns out to be true that BlackMatter is closing its doors, this is a big win for law enforcement. However, the real impact is yet to be seen.

“BlackMatter emerged on the threat landscape shortly after Dark Side closed its doors and many in the security industry believe that these RaaS operations are run by the same actors. This means that if BlackMatter does close its doors, it could rebrand under a different name and continue to carry out large-scale ransomware attacks.

“Organisations should never let their guard down when it comes to ransomware, even when major hacking gangs are apparently going offline. Instead focus on defences that stop ransomware getting on to systems, carry out network segmentation, run regular incident response training, and try to keep backups offline,” he added.