BlackMatter ransomware claims to be shutting down due to police pressure

The BlackMatter ransomware is allegedly shutting down its operation due to pressure from the authorities and recent law enforcement operations.

BlackMatter operates a private ransomware-as-a-service (RaaS) website that affiliates can use to communicate with the core operators, open support tickets, and receive new ransomware builds.

Today, security research group VX-Underground was sent a screenshot of a message allegedly posted by the BlackMatter operators on November 1st on the RaaS website. This post warns affiliates that the ransomware operation was shutting down in 48 hours.

This post roughly translates to English as the following:

"Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) - project is closed.

After 48 hours the entire infrastructure will be turned off, allowing:

 * Issue mail to companies for further communication
 * Get decryptor. For this write "give a decryptor" inside the company chat, where necessary.
 
We wish you all success, we were glad to work."

It is unclear what "latest news" is referring to, but the missing team members could be related to a recent international law enforcement operation arresting twelve individuals linked to 1,800 ransomware attacks in 71 countries.

In July, the REvil public-facing representative known as 'Unknown' also went missing, leading to the shutting down of REvil.

If this post is legitimate and BlackMatter is shutting down its operation, it does not mean that the threat actors will no longer extort existing victims.

Based on the post, the RaaS site will allow affiliates to receive decryptors for existing victims so that they can continue extorting victims on their own.

BleepingComputer has not confirmed the validity of the post, but VX-Underground told BleepingComputer that a BlackMatter affiliate sent them the image.

Whether BlackMatter is shutting down remains to be seen, as it has been more than 48 hours since the warning was issued to affiliates, and the group's Tor payment site and data leak remain operational.

Since this post originally published, the BlackMatter gang has been busy cleaning up traces of their activity online, including withdrawing deposited Bitcoins on hacker forums, deleting forum posts, and deactivating their accounts.

BleepingComputer also discovered that the BlackMatter, or its affiliates, have partnered with the competing LockBit ransomware operation to move victim's to LockBit's negotiation site for continued extortion.

Likely to rebrand as a new ransomware 

However, even if BlackMatter shuts down its operation, we will likely see them return as a different group in the future.

When ransomware gangs feel pressure from law enforcement or target a highly sensitive organization, it is common that they shut down their operation and relaunch under a new name.

BlackMatter is already a rebrand of the DarkSide operation, which shut down after attacking the Colonial Pipeline and feeling the full pressure of international law enforcement.

Other ransomware operations that have rebranded in the past include:

• REvil to GandCrab
• Maze to Egregor
• Bitpaymer to DoppelPaymer to Grief
• Nemty to Nefilim to Karma

It is only a matter of time until the operators of BlackMatter relaunch under a different name.

Update 11/5/21: Added information about current shut down activities.