BlackMatter, the ransomware-as-a-service (RaaS) group behind a string of cyberattacks, has reportedly been forced offline. The group’s recent behaviour is said to have angered both their criminal affiliates and law enforcement agencies, leading cybersecurity experts to believe that it has disappeared voluntarily in order to avoid trouble.
The disappearance of BlackMatter bears a striking similarity to the behaviour of another RaaS gang, Darkside, which vanished from the internet in June. Many believe BlackMatter is a new incarnation of Darkside run by the same group of threat actors.
As reported by Tech Monitor, BlackMatter is thought to have been behind a number of ransomware attacks, including several targeted at the agricultural sector. If it does resurface, the gang may find business is not as good as it has been previously, with the group’s behaviour having reportedly angered some of its affiliates, the groups to which it provides the malware that enables ransomware attacks. These affiliates may look to other, more reliable, hackers instead.
Have we seen the last of BlackMatter?
In a post on a hacking forum, BlackMatter claimed that recent activity from law enforcement had rendered it incapable of continuing to hack. Posted in Russian, the translated announcement reads: “Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours the entire infrastructure will be turned off.”
The “latest news” mentioned in the statement may refer to the recent cross-border ransomware sting led by Europol, the FBI and the NCA resulting in 12 people being detained and $52,000 in cash being seized. However, while current actions by law enforcement will no doubt be part of the reason for its departure, the group will have most likely gone offline to appear again under another name, notes Gary Robinson, CSO at security management company Uleska. “While this sounds like positive news, I wouldn’t bring out the celebratory balloons just yet,” he says. “We don’t know how genuine the announcement is, and it is unlikely to mean BlackMatter will be gone for good.”
We don’t know how genuine the announcement is, and it is unlikely to mean BlackMatter will be gone for good.
Gary Robinson, Uleska
A group the size of BlackMatter will have the resources and the expertise to disappear quickly, says Steve Forbes, head of cyber product at security company Nominet. “Any successful criminal group such as BlackMatter has considerable funds and resources that will enable them to reinvent themselves,” he says.
But, Forbes says, it is plausible recent actions by law enforcement will be making them more cautious. “If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible,” he says.
Was BlackMatter too unpopular to remain active?
Recently, BlackMatter made a mistake that cost its affiliates their cut of what should have been a lucrative ransom. An error while implementing its malware gave security company Emsisoft the opportunity it needed to return much of the encrypted data to victims without paying the ransoms.
Brett Callow, threat analyst at the company, said: “We collaborated with various law enforcement agencies to track down victims and help them recover their data. We can’t specify the total amount of ransoms that were avoided but we can say it was in the tens of millions.”
Such a mammoth loss may have been a contributing factor to BlackMatter feeling pressure to disappear. But Forbes says the threat actors behind the group are likely to re-emerge after a period of reflection. “Given the lucrative nature of RaaS we are likely to see them reappear in the near future,” he says, adding that the trend for disappearing and re-emerging with a new identity “seems to be working” for many hackers. “They’re making a lot of money from it doing it that way,” he says. “And generally in the technology sector, you talk about ‘move fast, break often and learn’.”
The threat actors behind BlackMatter may not be able to continue this behaviour much longer, however, as they might find it increasingly difficult to drum up business if they can’t be trusted to successfully deliver the cash to customers. “How long will the affiliates put up with this, particularly when there is other ransomware-as-a-service being created all the time,” Forbes asks.
He adds: “They are in real danger of losing out to their competition. You can’t keep [angering affiliates] for a prolonged period of time, just like you can’t do that in the consumer world. There are only so many times you can annoy your customers without pushing them away completely.”