An announcement was released by the BlackMatter ransomware group recently, stating that they are planning to shut down their operations due to pressure from law enforcement. The ransomware group’s announcement was posted from their Ransomware-as-a-Service backend portal that is also a gateway for other threat groups to access the BlackMatter ransomware strain.
Written in Russian, the message was posted on October 1, 2021, by a member of the vx-underground infosec group, which stated their message about discontinuing their operations because of the pressure they receive from the authorities. Furthermore, they mentioned that the entire BlackMatter infrastructure would be turned off within 48 hours but still be allowed to “issue mail to companies for further communication”; and “get decryptors, for this write ‘give a decryptor’ inside the company chat where they are needed.”
The BlackMatter ransomware group did not further explain their reason for shutting down; however, security analysts think it may have been after the three major events involving them in the past few weeks.
The first event was a report involving the FIN7 cybercrime group – the alleged creators of the BlackMatter and DarkSide ransomware strains – wherein they were suspected of having recruited collaborators from a public cybersecurity company Bastion Secure without their knowledge.
The second one was when another security firm has furtively developed a decryption key against the BlackMatter ransomware strain, which they disseminated for victims so they would not need to pay the threat group’s ransom demands. This event had dented the threat group’s revenue.
Lastly, a report was published about the US and Russia partnering up to track all Russian-based threat groups. As the creators of the BlackMatter and DarkSide ransomware strains, FIN7 is believed to operate within Russia.
The arrests of multiple FIN7 ransomware operations may have contributed to the pressure.
During the summer of this year, multiple FIN7 ransomware operations were disrupted by law enforcement after they arrested members of the threat group all over the world. This event may also have contributed to the pressure they received that led to the shutdown announcement.
An example is when the DarkSide ransomware had to discontinue its operations upon its servers being hacked, and its cryptocurrency funds were stolen. Furthermore, the REvil threat group, a rival ransomware gang of BlackMatter, had also been hijacked and shut down by law enforcement twice this year.
The intense pressure that the BlackMatter ransomware group experienced came from the upsurge of their attack activities for this year. Security analysts believe that many law enforcement agencies have long been aware of the identities of ransomware groups but are hindered from tracking them because of Russia being uncooperative.
However, the situation may have been changing for good since one of the ransomware groups, BlackMatter, have now surrendered the continuation of their attack operations.
