BlackMatter ransomware gang says it's disbanding – again – after Ukraine arrests
Just like the last time. Don't get your hopes up
A member of the BlackMatter (aka Darkside) ransomware gang has publicly claimed the extortionists are shutting down, causing much excitement within the infosec world.
A Russian-language message reportedly posted on a forum used by ransomware criminals is said to have announced BlackMatter's second disappearance of 2021, the gang previously pulling a disappearing act under their former name of Darkside.
The vx-underground Twitter account was used to post both the screenshot and a claimed translation. The Register is unable to vouch for the accuracy of the translation.
BlackMatter ransomware group has announced they're shutting down operations following pressure from local authorities - they state key members are no longer 'available'.— vx-underground (@vxunderground) November 3, 2021
Image 1. BlackMatter RaaS announcement of operations shutting down
Image 2. Russian translated to English pic.twitter.com/E4RWWAX7Hg
The claimed translation says:
Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off, it is allowed to:
Issue mail to companies for further communication. Get decryptors, for this write "give a decryptor" inside the company chat where they are needed.
We wish you all success, we were glad to work.
The broader infosec industry rejoiced, with El Reg's inbox overflowing today with commentary hailing a success for Western computer security in general. Most agreed that the "shutdown" was probably a PR move and the temptation of filthy lucre would see individuals from the gang quietly carrying on their operations.
Pascal Geenens, director of threat intelligence at TI firm Radware, opined: "I would not be surprised if they go on to rebrand. BlackMatter is already a rebrand of DarkSide. They too shut down after the Colonial Pipeline attack as they felt the pressure of law enforcement."
Meanwhile, Turkish infosec firm Picus Security's Dr Süleyman Özarslan said: "Ransomware gangs are highly resilient and typically rebrand in six-month cycles. After the Colonial Pipeline attack, for example, Darkside was banned from many cybercrime forums for attacking a provider of critical infrastructure - prompting the decision to reform under a new name."
Arrests in Ukraine and Switzerland
Earlier this week police forces in Ukraine and Switzerland swooped on ransomware suspects, arresting 12 in what police coordination bureau Europol described as an "action day." While most informed analysis places ransomware criminals in Russia, in recent months Ukraine has seen the arrests of numerous suspects. Local news reporting appears to rarely mention follow-up details about trials or convictions at court, however.
- BlackMatter ransomware gang will target agriculture for its next harvest – Uncle Sam
- Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal
- Uncle Sam recovers 63.7 of 75 Bitcoins Colonial Pipeline paid to ransomware crew
Radware's Geenens added that DarkSide/BlackMatter is probably just rebranding to take some of the heat off itself, linking it to the shutdown of REvil, the Ukrainian arrests and a "report in the New York Times this Sunday that announced a closer collaboration between US and Russia to take on Russia-based cybercrime gangs". He commented: "They might feel it is safer to stop their current operations and make a fresh start."
In related news, yesterday Symantec's threat intel wing shared details of a new data exfiltration tool seen in use by BlackMatter, which it named Exmatter. The .NET executable uses Powershell to scrub traces of itself from host machines after stealing all your data. ®