The BlackMatter ransomware crew appears to be on the verge of shutting down its operation, citing pressure from law enforcement, according to reports, but for the group’s existing victims, their nightmare is likely far from over.
In translations of screengrabs posted to Twitter from the VX Underground malware repository, a BlackMatter representative said that due to “unsolvable circumstances with pressure from the authorities”, the BlackMatter project would be closed, with its infrastructure to be turned off in the coming days.
However, in the statement, the representative also appeared to address BlackMatter’s affiliates, telling them they were still able to communicate with victims and obtain decryption tools, presumably to pass to those that pay, although this is unconfirmed. Note that a BlackMatter decryptor has been available from Emsisoft since late October.
Kevin Breen, director of cyber threat research at Immersive Labs, said that this unfortunately meant existing BlackMatter victims were probably not out of the woods yet.
“A few things we can take away from this are that it does not appear to be a takedown of their servers or infrastructure like we have seen in some recent examples. This means that any existing victims are not likely to get decryption keys handed to them,” he said.
“This is also reinforced by the second half of the message suggesting that those companies or personnel already dealing with active ransoms should continue to do so just by switching their communication method and getting the decryptors now before the infrastructure is shut down,” said Breen.
He said it was hard to predict how BlackMatter’s affiliates might respond, but that those working lower down the ransomware-as-a-service (RaaS) food chain tended to care less about who they work with, and so may just cut their losses and offer their “skills” to others.
Law enforcement operations
The supposed cessation of BlackMatter’s activities comes just days after a pan-European operation targeted 12 alleged ransomware operators who are believed to have conducted more than 1,800 attacks globally. Europol said the suspects were primarily associated with the Dharma, LockerGoga and MegaCortex ransomwares, and some other unnamed variants.
At the time of writing, it is unknown if BlackMatter is among those variants, but some commentators are already positing a link to this operation, and other recent law enforcement stings.
Other recent developments, such as talk of closer cooperation between the US and Russia on cyber crime, will not have gone unnoticed in the cyber criminal underground and are likely also a source of concern.
Whether or not BlackMatter’s operators really are trying to throw law enforcement off their trail, Carl Wearn, head of e-crime at Mimecast, said historical precedent would suggest such announcements rarely mark the end of the road for ransomware operators.
“This is highly unlikely to be the end of the threat actors behind the BlackMatter group and this looks like a classic rebrand or splintering,” he said.
“Cyber criminals that are making this much money rarely give up, as the greed that drives them to commit the crimes in the first place rarely allows them to stop,” said Wearn. “Many criminal organisations claim to shut down in an attempt to reduce the heat, just to splinter or return after a brief hiatus under a different name.”
Such reinvention tactics were famously used by the operators of the – now defunct again – REvil ransomware, who rebranded as REvil after retiring their previous project, GandCrab, in 2019.
Elaborate hoax
In related news, the individual behind a new ransomware gang dubbed Groove has revealed their project was an elaborate hoax designed to attract the attention of, and to troll, security researchers and media.
Groove emerged in August on a recently created Russian-language dark web forum called Ramp. The individual behind it called for disparate ransomware gangs to unite against the US public sector, and attempted to establish their bona fides with a supposed list of leaked user logins for unpatched Fortinet VPN products. According to Brian Krebs of Krebs on Security, they also ran a leak site, which contained the details of a very small number of victims.
However, in subsequent claims, the individual behind Groove, an apparently well-known figure who uses the handle Boriselcin, said: “Groove gang does not exist – this is a kind of trolling of the Western media and it once again shows how they are afraid of us… I was f**king good at manipulating the media.”
In a blog post assessing the Groove revelations, Flashpoint analysts said this was not the first time Russian-speaking threat actors had tried to exploit technology media to spread fear, uncertainty and doubt, and that mocking Western media outlets and reporters is a frequent topic of conversation on dark web forums.
However, added Flashpoint, the core motivation of ransomware operators being financial, one can assess with some degree of confidence that this grandstanding is merely a sideshow. Per Krebs, this may be an indication that Groove was legitimate to some degree, and that its operator is also turning their focus to a new project.