Cybersecurity researchers are wondering if reports that the BlackMatter ransomware gang is folding are too good to be true.
According to a news report the group made the announcement in the backend of their Ransomware-as-a-Service portal, where other criminal groups typically register in order to get access to the BlackMatter ransomware strain.
Another report said the security research group VX-Underground was sent a screenshot of a message allegedly posted by the BlackMatter operators on November 1st on the RaaS website.
A translation of the Russian post says
“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – project is closed.
After 48 hours the entire infrastructure will be turned off, allowing:
* Issue mail to companies for further communication
* Get decryptor. For this write “give a decryptor” inside the company chat, where necessary.
We wish you all success, we were glad to work.”
The news site The Record, a service of the threat intelligence provider Recorded Future, notes the move comes after three significant events:
— reports from Microsoft and Gemini Advisory that linked the FIN7 cybercrime group, considered the creators of the Darkside and BlackMatter strains, to a public cybersecurity firm named Bastion Secure, through which they allegedly recruited unwitting collaborators;
— security firm Emsisoft had secretly developed a decryption utility for the BlackMatter ransomware strain, which the company had quietly given to victims in order to let them avoid paying the group’s ransom demands;
— a report from the New York Times this Sunday that announced that the U.S. and Russia were collaborating on cracking down on Russia-based cybercrime and ransomware gangs, among others.
For its part, the Bleeping Computer news site said there might be a link to a Europol announcement last week that law enforcement had detained 12 people in Ukraine and Switzerland on suspicion of being involved in ransomware.
In an email, Brett Callow, British Columbia-based threat analyst for Emsisoft, told ITWorldCanada.com that The BlackMatter operators will be spooked, as will their affiliates, by the gang’s post. “Their affiliates will also be annoyed because of their multi-million dollar losses due BlackMatter’s coding error – which they’ll no doubt be concerned could also have resulted in BlackMatter’s infrastructure being compromised.
“At the end of the day, it’s unclear what’s happened. The operation could’ve folded simply due to lost confidence and paranoia, or the Russian government may also have had a hand in the gang’s decision.
“Whatever the case, this can be chalked up as another win – and the wins seem to be coming more often.”
The ransomware attack against Colonial Pipeline resulted in the shutting down of DarkSide ransomware, which had claimed responsibility for the attack, noted Peter Mackenzie, director of incident response at Sophos. This then resulted in DarkSide returning under the new name of BlackMatter shortly after. While the name was different, the core ransomware code was not, and it had the same weaknesses that allowed free decrypters to be produced. In October, Emsisoft announced they had a decrypter for BlackMatter and had been secretly helping victims.
“Taking these factors into account, it is likely this is yet another ransomware group pretending to shut down, when in reality it is just a rebrand and launch of a new improved version sometime soon in the future.”