BlackMatter ransomware claims to be shutting down
In a message written in Russian, the group said the attention from the authorities forced the decision. Experts view this as a rebranding campaign.
Security research group VX-Underground shared a message on Twitter from a website BlackMatter employs to communicate with its affiliates.
The message, written in Russian, claims that due to the pressure from the authorities, BlackMatter is closing in two days.
"Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) - the project is closed. After 48 hours, the entire infrastructure will be turned off," said the message.
Recently, threat actors used BlackMatter ransomware to target US farm service provider New Cooperative Inc., threatening to disrupt the food supply.
"It is likely this is yet another ransomware group pretending to shut down when in reality it is just a rebrand and launch of a new, improved version sometime soon in the future."-Peter Mackenzie
It's not clear what 'latest news' the group is referring to. However, last Friday, Europol announced targeting a total of 12 individuals that authorities believe were responsible for attacks affecting over 1,800 victims in 71 countries.
Two weeks ago, another infamous cybercrime group, REvil, announced it was going offline for a second time. According to cybersecurity experts, law enforcement and intelligence cyber specialists could hack REvil's computer network infrastructure and infect gangs' backups.
BlackMatter is one of many ransomware groups selling Ransomware-as-a-service (RaaS). The idea behind the scheme is that a criminal group provides the software for a share of the cut, its affiliates extort from victims.
The group is a successor to another notorious gang, DarkSide. The latter closed down after an attack against Colonial Pipeline, causing fuel shortages in the American Southeast.
According to Peter Mackenzie, the Director of incident response at cybersecurity company Sophos, it's likely that the alleged closedown is just another rebranding campaign of the same people behind ever-changing malware.
Last month, security researchers at Emisoft posted a blog entry, claiming they had a decrypter for BlackMatter and had been secretly helping victims.
"Taking these factors into account, it is likely this is yet another ransomware group pretending to shut down when in reality it is just a rebrand and launch of a new, improved version sometime soon in the future," Mackenzie told CyberNews.
Meanwhile, Dmitri Alperovitch, the co-founder of CrowdStrike, a cybersecurity company tweeted that the reasons behind the shutdown are not as clear cut as they might seem.
He noted that both REvil and BlackMatter announced going offline with details on missing gang members. While that might mean that heat from previous attacks forced threat actors to lay low, it might also be that criminals are in the dark on the dissapearances as well.
"If these disappearances continue without any explanation, the psychological impact will be very powerful and not just directly on the groups impacted," Alperovitch wrote.
Cyberattacks are increasing in scale, sophistication, and scope. The last 12 months were ripe with major high-profile cyberattacks, such as the SolarWinds hack, attacks against meat processing company JBS and software firm Kaseya.
Even authorities exert pressure to force some groups offline, threat actors either rebrand or form new groups. Most recently, LockBit 2.0 was the most active ransomware group with a whopping list of 203 victims in Q3 of 2021 alone.
An average data breach costs victims $4.24 million per incident, the highest in the 17 years. For example, the average cost stood at $3.86 million per incident last year, putting recent results at a 10% increase.
Reports show that people most vulnerable to cybercrime tend to be adults over 75 and younger adults. Criminals were taking advantage of the uncertainty caused by the pandemic and the flood of new users to digital channels, who were especially susceptible to attack.
More from CyberNews
Subscribe to our newsletter