The BlackMatter ransomware group, which has been active in the last 4 months, has recently announced that it will be shutting down operations according to reports released by a member of the security research group vx-underground. BlackMatter provided malware and services to affiliate groups in a ransomware-as-a-service model (RaaS). These affiliate groups then used this ransomware strain to conduct the actual intrusions and malware deployment on targeted organizations’ networks. The announcement was posted on the backend of BlackMatter’s ransomware portal, typically accessed by criminal affiliate groups purchasing the provided ransomware services.
Analyst Notes
BlackMatter is suspected by many researchers and law enforcement organizations, including CISA, to be a reorganization of the DarkSide ransomware group that ended operations in July. Historically, criminal groups often reorganize due to political or law enforcement pressure, or from the loss of services from key members. It remains to be seen whether such a reorganization will take place for BlackMatter members.
The RaaS model seems to be alive and well, and it is likely that criminals will continue to operate as long as they can profit from their actions. However, new pressure is being applied to ransomware groups. Articles, including reports in the New York Times, have recently claimed that the USA and Russia are collaborating more closely on policing the activities of ransomware groups based in Russia.
https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/
https://us-cert.cisa.gov/ncas/alerts/aa21-291a