SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybersecurity experts weigh in on BlackMatter ransomware shut down
Fri, 5th Nov 2021
FYI, this story is more than a year old

BlackMatter ransomware group is claiming to it is shutting down operations following recent police operations and pressures from law enforcement, according to reports.

John Vestberg, chief executive at Clavister, says that while it is certainly a positive that BlackMatter gang has shut down and that police pressure has curbed its actions, it is important not to become complacent in the fight against cybercriminal gangs.

"Like rock bands breaking up and members commencing solo careers, there is no guarantee that the end is just that," he says.

"BlackMatter has already stated that it was only a part of the group that has come under pressure from the authorities, suggesting that there are some aspects still operational.

"For organisations, this is a time to review and readdress their cybersecurity protection measures, making sure that they are prepared to withstand ransomware attacks that can come from all vectors. One only needs to look at the effects of New Cooperative and Crystal Valley attacks to see the threat BlackMatter members pose in the ransomware space."

Steve Forbes, government cyber security expert at Nominet, says successful criminal groups such as BlackMatter have considerable funds and resources that will enable them to reinvent themselves.

"If the criminals feel that part of their operation is compromised or that law enforcement are closing in then they will naturally want to distance themselves from their existing activities and infrastructure as quickly as possible, but given the lucrative activity of RaaS we are likely to see them reappear in the near future," he says.

"This could of course be a deliberate ploy if they feel that their communications with affiliates is being monitored, perhaps to divert the attention of law enforcement to other ransomware gangs.

"For these criminal organisations they are always going to be weighing up the risk and reward, much like any criminal activity, but given that the rewards of successful ransomware attacks are so big it is unlikely that this is the last we will see of this group. Despite some recent wins for law enforcement, the battle against ransomware is far from over."

The ransomware attack against Colonial Pipeline in the US earlier this year resulted in the shutting down of DarkSide ransomware who had claimed responsibility, this resulted in DarkSide returning under the new name of BlackMatter shortly after.

Peter Mackenzie, director of incident response at Sophos, says while the name was different, the core ransomware code was not, and it had the same weaknesses that allowed free decrypters to be produced.

"In October, a security company announced they had a decrypter for BlackMatter and had been secretly helping victims. Taking these factors into account it is likely this is yet another ransomware group pretending to shutdown, when in reality it is just a rebrand and launch of a new improved version sometime soon in the future," he says.

Meanwhile, Flashpoint analysts have cautioned that BlackMatter's closure may see its affiliates spread to other ransomware groups, or start their own, as has frequently happened before.

The group claimed some of its key members are no longer ‘available' and that the closure will be effective November 5.

The analysts also observed chatter in the threat actor community that Russian authorities – involved in diplomatic ransomware talks with the US – are potentially making ‘strategic concessions' with the US and forced the closure. Earlier threat actors on top-tier forums also noted that REvil, behind the Colonial Pipeline and JBS attacks, was first forced offline shortly after diplomatic talks started.

Flashpoint says any resurgence will likely be watched closely by authorities as the updated Critical Infrastructure Bill is finalised – BlackMatter has shown a willingness and ability to attack CI providers, taking down a farmers' cooperative in the US – a direct hit on its food supply chain.

This news announcement comes on the heels of a major Europol operation in Switzerland and Ukraine, conducted in concert with US law enforcement, in which 12 people accused of running ransomware operations were targeted in raids on October 29. The targets reportedly had more than 1,800 victims in 71 countries.

“It's important to note that when a ransomware collective goes dark—such as the apparent case here with BlackMatter, or with REvil—it doesn't necessarily mean that the threat actors associated with the group will cease future illicit cybercrime activities," Flashpoint says.

Flashpoint analysts have observed on numerous occasions affiliates of a defunct ransomware group quickly reorienting themselves in the threat actor community by associating with active ransomware groups, or by starting their own. Analysts also assess with moderate confidence, based on earlier experiences, that following the fall of BlackMatter (and potentially REvil), new ransomware collectives will be formed.

“Flashpoint analysts have observed threat actors discussing the news of BlackMatter's apparent demise," it says.

"They have pointed out that they suspect that Russian authorities involved in the aforementioned diplomatic discussions are potentially making strategic concessions to the United States on ransomware.

"Earlier threat actors on top-tier forums also noted that REvil was first forced offline shortly after these talks started in summer 2021.