Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

BlackMatter Ransomware Gang Announces Shutdown

The cybercriminals behind the BlackMatter Ransomware-as-a-Service (RaaS) operation this week announced plans to close shop.

The cybercriminals behind the BlackMatter Ransomware-as-a-Service (RaaS) operation this week announced plans to close shop.

Active since July 2021, BlackMatter is the product of the Coreid cybercrime group, which also operated the DarkSide ransomware. BlackMatter’s use in assaults on critical infrastructure entities in the United States has resulted in the U.S. government recently issuing an alert on the RaaS operation.

On Monday, the BlackMatter operators posted on their RaaS website a message announcing that the entire operation would be shutting down within 48 hours.

In their message, the miscreants mention increased pressure from the authorities and say that part of the team is no longer available “after the latest news,” most likely a reference to last week’s wave of arrests in Europe.

A total of 12 suspects were arrested, most of them being considered high-value targets due to their involvement in multiple high-profile cases, Europol said.

Despite operating for only four months, BlackMatter emerged as one of the most prolific ransomware operations out there, with more than 50 businesses being hit to date.

At an average ransom demand of $5.3 million, the attackers could have made hundreds of millions from the operation, but the total amount is yet unknown. In September, the cybercriminals demanded $5.9 million from Iowa-based New Cooperative.

The highest ransom demand made by the BlackMatter gang was of $30 million, requested from Japan’s Olympus Corporation, Singapore-based cybersecurity firm Group-IB says.

Advertisement. Scroll to continue reading.

BlackMatter ransomware

The estimates are based on the negotiation chats the cybercriminals had with their victims. Responding to a SecurityWeek inquiry, Group-IB didn’t make an estimate as to how much the BlackMatter gang might have made from the operation.

“The identified cryptocurrency wallets had no transactions as they were related to the victims who refused to pay the ransom and whose data was published on the gang’s DLS. The number of victims who actually paid the ransom as well as the gang’s earnings are unknown,” Oleg Skulkin, head of DFIR Lab at Group-IB, said.

More than half (52%) of the organizations hit by BlackMatter are from the U.S., with others located in Austria (11%), Italy (7%) and France (7%), as well as eight other countries. The production sector was affected the most, Group-IB says.

Both Windows and Linux versions of the BlackMatter ransomware were observed and earlier this week security researchers warned that the group had developed a custom data exfiltration tool to accelerate their attacks. The stolen data was being used to pressure victims into paying the ransom.

Despite the shutdown announcement, however, security researchers believe that the gang won’t retire completely. In fact, several security experts have told SecurityWeek that BlackMatter will likely return under a different name, just as DarkSide did.

They also warn that some of the group’s members might join active RaaS operations out there and encourage organizations to strengthen their defenses against ransomware and other malicious attacks.

“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering. Organisations must recognise this threat and invest in their cybersecurity and help to alleviate the risk of ransomware,” Carl Wearn, head of e-crime at Mimecast, said.

Related: U.S. Government Issues Urgent Warning on BlackMatter Ransomware

Related: 12 People Arrested Over Ransomware Attacks on Critical Infrastructure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.