BlackMatter Shuts And Gone Dark

Ransomware-as-a-service provider BlackMatter has ceased operations due to pressure from local authorities, malware research organization vx-underground says, citing an announcement made by the gang on a Russian underground site.

BlackMatter, which is linked with the Coreid cybercrime group, is also believed to be a reincarnation of the defunct DarkSide ransomware gang. DarkSide targeted Colonial Pipeline Co. in May and disrupted fuel deliveries along the U.S. East Coast.

“Due to certain unsolvable circumstances associated with pressure from the authorities – project is closed,”citing the criminal group’s announcement, translated from Russian. “After 48 hours, the entire infrastructure will be turned off, allowing: issue mail to companies for further communication and get decryptor. For this write “give a decryptor” inside the company chat, where necessary. We wish you all success, we were glad to work.”

Separately, days before the news of the disbandment surfaced, a team of threat hunters at cybersecurity company Symantec found that an affiliate of the BlackMatter ransomware group uses a custom data exfiltration tool for its attacks.

“Exmatter,is designed to steal specific file types from a number of selected directories and upload them to an attacker controlled server prior to deployment of the ransomware itself on the victim’s network,”

Symantec Note

Exmatter is the third such custom data exfiltration tool developed by ransomware operators, following the discovery of the Ryuk Stealer tool and StealBit, which is linked to the LockBit ransomware operation.

Tying the two bits of news together,the ransomware attack against Colonial Pipeline resulted in the shutting down of DarkSide ransomware, which shortly returned under the name of BlackMatter.

While the name was different, the core ransomware code was not, and it had the same weaknesses that allowed free decryptors to be produced. Decryptor for BlackMatter available and had been secretly helping victims. Taking these factors into account, it is likely this is yet another ransomware group pretending to shut down, when in reality, it is just a rebrand and launch of a new improved version sometime soon in the future

BlackMatter’s shutdown announcement follows the arrest of 12 individuals by Europol for their suspected roles in ransomware attacks against critical infrastructure across the world.

These actors are believed to have affected more than 1,800 victims in 71 countries and are known to have targeted large corporations, causing business disruption, according to Europol.