BlackMatter ransomware gang says it's disbanding – again – after Ukraine arrests

Just like the last time. Don't get your hopes up


A member of the BlackMatter (aka Darkside) ransomware gang has publicly claimed the extortionists are shutting down, causing much excitement within the infosec world.

A Russian-language message reportedly posted on a forum used by ransomware criminals is said to have announced BlackMatter's second disappearance of 2021, the gang previously pulling a disappearing act under their former name of Darkside.

The vx-underground Twitter account was used to post both the screenshot and a claimed translation. The Register is unable to vouch for the accuracy of the translation.

The claimed translation says:

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:

Issue mail to companies for further communication. Get decryptors, for this write "give a decryptor" inside the company chat where they are needed.

We wish you all success, we were glad to work.

The broader infosec industry rejoiced, with El Reg's inbox overflowing today with commentary hailing a success for Western computer security in general. Most agreed that the "shutdown" was probably a PR move and the temptation of filthy lucre would see individuals from the gang quietly carrying on their operations.

Pascal Geenens, director of threat intelligence at TI firm Radware, opined: "I would not be surprised if they go on to rebrand. BlackMatter is already a rebrand of DarkSide. They too shut down after the Colonial Pipeline attack as they felt the pressure of law enforcement."

Meanwhile, Turkish infosec firm Picus Security's Dr Süleyman Özarslan said: "Ransomware gangs are highly resilient and typically rebrand in six-month cycles. After the Colonial Pipeline attack, for example, Darkside was banned from many cybercrime forums for attacking a provider of critical infrastructure - prompting the decision to reform under a new name."

Arrests in Ukraine and Switzerland

Earlier this week police forces in Ukraine and Switzerland swooped on ransomware suspects, arresting 12 in what police coordination bureau Europol described as an "action day." While most informed analysis places ransomware criminals in Russia, in recent months Ukraine has seen the arrests of numerous suspects. Local news reporting appears to rarely mention follow-up details about trials or convictions at court, however.

Radware's Geenens added that DarkSide/BlackMatter is probably just rebranding to take some of the heat off itself, linking it to the shutdown of REvil, the Ukrainian arrests and a "report in the New York Times this Sunday that announced a closer collaboration between US and Russia to take on Russia-based cybercrime gangs". He commented: "They might feel it is safer to stop their current operations and make a fresh start."

In related news, yesterday Symantec's threat intel wing shared details of a new data exfiltration tool seen in use by BlackMatter, which it named Exmatter. The .NET executable uses Powershell to scrub traces of itself from host machines after stealing all your data. ®

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading
  • Canadian charged with running ransomware attack on US state of Alaska

    Cross-border op nabbed our man, boast cops and prosecutors

    A Canadian man is accused of masterminding ransomware attacks that caused "damage" to systems belonging to the US state of Alaska.

    A federal indictment against Matthew Philbert, 31, of Ottawa, was unsealed yesterday, and he was also concurrently charged by the Canadian authorities with a number of other criminal offences at the same time. US prosecutors [PDF] claimed he carried out "cyber related offences" – including a specific 2018 attack on a computer in Alaska.

    The Canadian Broadcasting Corporation reported that Philbert was charged after a 23 month investigation "that also involved the [Royal Canadian Mounted Police, federal enforcers], the FBI and Europol."

    Continue reading

Biting the hand that feeds IT © 1998–2021