BlackMatter ransomware group is closing its Operations

BlackMatter ransomware group is closing its Operations-01

With the increase in the number of the crackdown and the pressure from authorities, BlackMatter ransomware has decided to stop its operations.

Blackmatter ransomware is shutting down its operations due to pressure from local authorities, says the criminal group behind its development. The cybercriminal group released its plan in a message that was posted in the backend of their Ransomware-as-a-Service portal, where other malicious actors register to get access to the BlackMatter ransomware.

Released on Monday, Nov 1, 2021a member of the vx-underground InfoSec group obtained the message. While they did the news that led them to take this drastic step to shut down the operations, the announcement has come after three significant events that took place over the past couple of weeks.

The first of these events reports comes from Microsoft and Gemini Advisory linked to the FIN7 cybercrime group that many consider the developer behind the Darkside and BlackMatter strains.

Also Read: Investments in Cybersecurity are Skyrocketing, but Cyber-attacks are Not Far Behind

The second event that may have influenced the decision was the development of a decryption utility for the BlackMatter ransomware strain from security Emsisoft. Working behind the scenes, the organization had been offering its services to the victims to avoid them paying the ransom demand from the group, thus disrupting their profits.

The last came from the New York Times when the US and Russia forged stronger ties to crack down on Russia-based cybercrime and ransomware gangs, among others. This is of great significance given that the FIN7 group has been believed to be operating from Russia.

Ransomware gangs under a significant political pressure

The recent statement from FIN7 about shutting down the operation was released when members of multiple ransomware operations were hunted and arrested across the world this summer. The intense pressure that many of the ransomware gangs faced is an aftermath of the surge in cyber-attacks that have reached their peak in 2021, with some attacks causing major issues across the globe. Some of the highlights include the REvil attack on JBS Foods (disrupting meat supply across the US), Colonial Pipeline (causing fuel-supplying issues for the US East Coast) and REvil attack on Kaseya (disrupting thousands of organizations across the world).

“With recent arrests and takedowns of different ransomware groups (REvil infrastructure taken down, Europol detaining a Ukrainian group linked to a few ransomware attacks), it is probably a proactive step for these ransomware groups to lay low for the moment. This should not be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups that are operating, so organizations and defenders should not be taking a breather but focus on disrupting them further,” said Calvin Gan, Senior Manager, Tactical Defense Unit, F-Secure.

Also Read: Mergers and Acquisitions: Mitigating Cybersecurity Threats

An industry expert of the security conferences has said that enforcement agencies have known the identities of the many ransomware operators but were not taking any initiative as they could not go after some groups due to Russia’s uncooperative nature. However, the country’s collaboration with the US to crack down on the cybercriminal operations says that the behavior is changing as per BlackMatter’s statement.

As per David Sygula, Senior Cybersecurity Analyst, CyberAngel, “Although no clear confirmation has been made by the group so far, their leaking website is offline. There’s always a bit of a mystery when a group stops their activity, the reasons are never clear, but either way there is little chance that it means the end of the group. A rebranding sounds like a good option and it’s also what is to be expected.

Every time a group catches too much attention, it’s easier to rebrand and start from scratch – or so it seems – to blur their tracks. But ironically, victims of their own success and no matter under what name, they will come back, and we will quickly make the link with their previous operations. Their names may change, but their techniques won’t.”

Callum Roxan, Head of Threat Intelligence, F-Secure seems to share some of the insights as David. He said, “As BlackMatter is widely considered to be a rebranded group of DarkSide that similarly “shut down” due to external pressures, it is certainly possible the group could rebrand again and continue to operate.

However, the BlackMatter announcement does suggest that some group members may no longer be at liberty to operate as cyber-criminals, and this could cause the remaining members to splinter or find other pursuits due to the heat they may be feeling from external parties. In the wider picture, there remain a number of active Ransomware-as-a-Service (RaaS) operators and affiliates that ex-BlackMatter members can look to operate with going forward if they wish.”

For more such updates follow us on Google News ITsecuritywire News