Ransomware Gang, BlackMatter – Ceasing Operations

Overnight, the BlackMatter ransomware gang announced that it would be ceasing operations, citing pressure from authorities and announcing that some of its core members were “unavailable.” At this point, it’s not clear whether core group members are “unavailable” because they are in custody or have simply decided the stakes are too high to continue operations. The group’s note specifically mentions pressure from authorities, likely local law enforcement. That’s a sign that saber-rattling by the US government (and others) appears to be helping. But as always, there’s more to the story than might first meet the eye. Let’s dive a bit deeper.

BlackMatter aka DarkSide Ransomware

If the DarkSide name sounds familiar, that’s because it should.  Researchers almost universally recognize BlackMatter as a resurrected version of the DarkSide ransomware group. In May 2021, DarkSide compromised the operator of the Colonial Pipeline, leading to gas shortages (at least indirectly) in the US Southeast. After that attack, DarkSide announced it was shutting down operations, though everyone in the industry understood that meant it would likely be rebranding.

Analysis of a Ransomware’s Demise

In October, researchers discovered a flaw in how encryption keys were generated for BlackMatter’s ransomware. The flaw allowed them to write a universal decryption tool that was released to the public. The released decryption tool led to operators and affiliates losing millions of dollars in ransom payments over the last month, straining relationships with affiliates. Given this backdrop alone, it’s easy to imagine it might not take much pressure from authorities for core BlackMatter members to hang up their hats.

Ransomware operators are feeling the pressure of decreased payment rates, owed mainly to better backups and other preparation by victims. This preparation has made the use of double extortion methods (where threat actors exfiltrate data in addition to encrypting) necessary to regain some leverage and compel payment. How vital is double extortion to BlackMatter? There’s some anecdotal evidence BlackMatter relies on this method more than other groups.

In October, researchers discovered a tool attributed to the BlackMatter ransomware group. They built the tool specifically to standardize data exfiltration across BlackMatter’s different affiliates. The mere existence of the exfiltration tool highlights the importance of double extortion in BlackMatter’s operations. By combining the data search and exfiltration operations into a single step, the tool seemingly increases the likelihood that data is only exfiltrated to the core BlackMatter group, rather than affiliates also retaining a copy of the data. We can certainly infer that BlackMatter (and affiliates) couldn’t have been thrilled their new data exfiltration tool was discovered in the wild and published about so quickly.

BlackMatter going the way of REvil

This points to a group already stressed, likely ready to wrap things up and retire to a beachfront Dacha in Sochi. But wait – there’s more! From BlackMatter’s appearance on the ransomware scene, it’s been rumored that they share some overlap with REvil. While we can’t confirm if the group membership overlaps, their tooling definitely does.  It became clear in mid-October that REvil had been infiltrated by law enforcement. If the membership of the two groups does indeed overlap, we can infer that the pressure might undoubtedly make some of their core members “unavailable.”