The infamous BlackMatter ransomware group is allegedly shutting down its operation due to pressure from the authorities and recent law enforcement operations – what kind of impact will this have on organisations as we emerge from the ‘digital pandemic’ of cyber attacks?

This week, the BlackMatter ransomware crew announced it was shutting down its operation, citing pressure from law enforcement. According to translations of screenshots posted to Twitter, a BlackMatter representative said that due to “unsolvable circumstances with pressure from the authorities,” the BlackMatter project would be closed, with its infrastructure to be turned off in the coming days.

While this may look like a positive news, the outlook remains uncertain for victims of previous ransomware attacks. A representative addressed BlackMatter’s affiliates in the statement telling them they were still able to communicate with victims and obtain decryption tools, presumably to pass to those that pay, although this is unconfirmed.

Kevin Breen, Director of Cyber Threat Research at Immersive Labs, said that this unfortunately meant existing BlackMatter victims were probably not out of the woods yet. He stated: “a few things we can take away from this are that it does not appear to be a takedown of their servers or infrastructure like we have seen in some recent examples. This means that any existing victims are not likely to get decryption keys handed to them. This is also reinforced by the second half of the message suggesting that those companies or personnel already dealing with active ransoms should continue to do so just by switching their communication method and getting the decryptors now before the infrastructure is shut down.”

He said it was hard to predict how BlackMatter’s affiliates might respond, but that those working lower down the ransomware-as-a-service (RaaS) food chain tended to care less about who they work with, and so may just cut their losses and offer their “skills” to others.

“While this sounds like positive news, I wouldn’t bring out the celebratory balloons just yet…”

Gary Robinson, CSO at Uleska

Commenting on these revelations, Gary Robinson, CSO at Uleska says: “While this sounds like positive news, I wouldn’t bring out the celebratory balloons just yet. Firstly, we don’t know how genuine the announcement is, and secondly it is unlikely to mean BlackMatter will be gone for good. Cybercrime gangs will often rebrand or disappear from the public eye following attacks, but it rarely means they have disappeared forever. Just look at Emotet, it took seven years for the malware to be taken down entirely.

“As a result, organisations should not use this announcement as a basis to let their guard down against ransomware. Instead, continue to focus on defending against the threat by deploying technology which prevents the malware getting on to systems before it causes damage, keep systems up-to-date with the latest patches and always run a frequent back up system.”

“…it would not be unlikely we will see a Facebook-nay-Meta like rebrand for these actors.”

Hugo van den Toorn, Manager Offensive Security, Outpost24

Robert Golladay, EMEA and APAC Director at Illusive points out that while BlackMatter may be offline, they may still make a comeback as other ransomware gangs have dun such as REvil. He continues to say “even though the threat group has fallen silent, we remain in the middle of a digital pandemic and organisations should never fall into a false sense of security, always continuing to strengthen their security posture as though they expect to be targeted.

“It’s difficult to say if the group has shut down for good, however it is best to assume the worst case scenario and prepare for it. Attackers might already be within the network, therefore it is necessary to create a hostile environment that facilitates early detection and prevents lateral movement to protect critical assets.”

“It is hard to speculate what cyber criminals will do next,” adds Hugo van den Toorn, Manager Offensive Security, Outpost24. “But recently we have seen others that have been disrupted and make a new start under another name/brand. So, it would not be unlikely we will see a Facebook-nay-Meta-like rebrand for these actors. Sometimes it is legitimately parts of the criminal gang that want to stop their activities, but it might also just be a decoy or a change in strategy under another name.”

“we remain in the middle of a digital pandemic and organisations should never fall into a false sense of security …”

Robert Golladay, EMEA and APAC Director at Illusive

George Papamargaritis, MSS Director at Obrela Security Industries agrees: “The message from BlackMatter is very vague, so it is not clear if this is linked to the recent cybercriminal arrests by Europol or has been spurred by something else. BlackMatter emerged on the threat landscape shortly after Dark Side closed its doors and many in the security industry believe that these RaaS operations are run by the same actors.

“Organisations should never let their guard down when it comes to ransomware, even when major hacking gangs are apparently going offline. Instead focus on defences that stop ransomware getting on to systems, carry out network segmentation, run regular incident response training, and try to keep backups offline.”