The BlackMatter ransomware collective today announced the closure of their operations, effective November 5. In the blog post, BlackMatter claimed that some of its key members are no longer “available,” which, if true, could be an indication that BlackMatter-affiliated threat actors may have been compromised or made the decision to no longer partake in ransomware activities.
However, it’s important to note that when a ransomware collective goes dark—such as the apparent case here with BlackMatter, or with REvil—it doesn’t necessarily mean that the threat actors associated with the group will cease future illicit cybercrime activities.
Re-emergence is common
This news announcement comes on the heels of a major Europol operation in Switzerland and Ukraine, conducted in concert with US law enforcement, in which 12 people accused of running ransomware operations were targeted in raids on October 29. The targets reportedly had more than 1,800 victims in 71 countries.
Earlier that month, a different transnational cyber operation forced REvil, another major ransomware gang, offline.
Flashpoint analysts have observed on numerous occasions affiliates of a defunct ransomware group quickly reorienting themselves in the threat actor community by associating with active ransomware groups, or by starting their own. Analysts also assess with moderate confidence, based on earlier experiences, that following the fall of BlackMatter (and potentially REvil), new ransomware collectives will be formed.
Notably, the spokesperson of the LockBit ransomware group took to XSS and used the opportunity to invite BlackMatter members and affiliates to live in China, where the threat actor claimed to live.
Furthermore, several ransomware groups that have gone offline, either temporarily or permanently, were later reborn or rebranded. This year, following a ban on ransomware ads by several top-tier illicit forums, ransomware operators adapted their recruiting techniques to these new rules, and also created RAMP, a forum for ransomware operators and developers.
US-Russia Ransomware Talks
Flashpoint analysts assess with moderate confidence that BlackMatter going offline will lead to heightened anxiety among Russian-speaking cybercriminals operating in Europe and Russia, although it remains unclear whether these developments will push ransomware collectives to rethink their protocols, including the countries in which they conduct their illicit business.
Earlier this week CIA Director William Burns held talks with Nikolay Patrushev, the secretary of Russia’s Security Council in Moscow, on subjects including arms control and cybersecurity. Though the agenda of the talks was not made public several reports in recent weeks suggest that expert-level talks between the United States and Russia on ransomware attacks have seen progress.
Flashpoint analysts have observed threat actors discussing the news of BlackMatter’s apparent demise. They have pointed out that they suspect that Russian authorities involved in the aforementioned diplomatic discussions are potentially making strategic concessions to the United States on ransomware.
Earlier threat actors on top-tier forums also noted that REvil was first forced offline shortly after these talks started in summer 2021.
Track Ransomware Activity With Flashpoint
The data above was discovered directly through analyst research in the Flashpoint platform. Sign up for a free trial and see firsthand how Flashpoint can help you and your organization access the most critical information affecting your industry and the security community.