Connect with us

Hi, what are you looking for?



BlackMatter Ransomware Gang Announces Shutdown

The cybercriminals behind the BlackMatter Ransomware-as-a-Service (RaaS) operation this week announced plans to close shop.

The cybercriminals behind the BlackMatter Ransomware-as-a-Service (RaaS) operation this week announced plans to close shop.

Active since July 2021, BlackMatter is the product of the Coreid cybercrime group, which also operated the DarkSide ransomware. BlackMatter’s use in assaults on critical infrastructure entities in the United States has resulted in the U.S. government recently issuing an alert on the RaaS operation.

On Monday, the BlackMatter operators posted on their RaaS website a message announcing that the entire operation would be shutting down within 48 hours.

In their message, the miscreants mention increased pressure from the authorities and say that part of the team is no longer available “after the latest news,” most likely a reference to last week’s wave of arrests in Europe.

A total of 12 suspects were arrested, most of them being considered high-value targets due to their involvement in multiple high-profile cases, Europol said.

Despite operating for only four months, BlackMatter emerged as one of the most prolific ransomware operations out there, with more than 50 businesses being hit to date.

At an average ransom demand of $5.3 million, the attackers could have made hundreds of millions from the operation, but the total amount is yet unknown. In September, the cybercriminals demanded $5.9 million from Iowa-based New Cooperative.

Advertisement. Scroll to continue reading.

The highest ransom demand made by the BlackMatter gang was of $30 million, requested from Japan’s Olympus Corporation, Singapore-based cybersecurity firm Group-IB says.

BlackMatter ransomware

The estimates are based on the negotiation chats the cybercriminals had with their victims. Responding to a SecurityWeek inquiry, Group-IB didn’t make an estimate as to how much the BlackMatter gang might have made from the operation.

“The identified cryptocurrency wallets had no transactions as they were related to the victims who refused to pay the ransom and whose data was published on the gang’s DLS. The number of victims who actually paid the ransom as well as the gang’s earnings are unknown,” Oleg Skulkin, head of DFIR Lab at Group-IB, said.

More than half (52%) of the organizations hit by BlackMatter are from the U.S., with others located in Austria (11%), Italy (7%) and France (7%), as well as eight other countries. The production sector was affected the most, Group-IB says.

Both Windows and Linux versions of the BlackMatter ransomware were observed and earlier this week security researchers warned that the group had developed a custom data exfiltration tool to accelerate their attacks. The stolen data was being used to pressure victims into paying the ransom.

Despite the shutdown announcement, however, security researchers believe that the gang won’t retire completely. In fact, several security experts have told SecurityWeek that BlackMatter will likely return under a different name, just as DarkSide did.

They also warn that some of the group’s members might join active RaaS operations out there and encourage organizations to strengthen their defenses against ransomware and other malicious attacks.

“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering. Organisations must recognise this threat and invest in their cybersecurity and help to alleviate the risk of ransomware,” Carl Wearn, head of e-crime at Mimecast, said.

Related: U.S. Government Issues Urgent Warning on BlackMatter Ransomware

Related: 12 People Arrested Over Ransomware Attacks on Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...