BlackMatter Ceases Operations as Law Enforcement Cracks Down

On November 3, 2021, a Twitter post by vx-underground displayed an announcement by BlackMatter leadership that they were shutting down ransomware operations. The announcement read,

“Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) -- project is closed...After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write 'give a decryptor' inside the company chat, where necessary. We wish you all success, we were glad to work.”


The news the group is alluding to is strongly believed to be the news that broke when Emisoft researchers discovered a flaw in the ransomware’s code that resulted in researchers being able to develop a decryptor which was secretly provided to victims so that there would be no need to the ransom.

Unfortunately, during one instance, somebody within a victim’s organization leaked that they had suffered a BlackMatter infection and had leaked the private key.

blackmatter ransomware ceases operation

Researchers pointed out how this hampered their recovery operations by stating,

“However, it wasn’t all smooth sailing. One of the biggest challenges we faced during the operation related to social media, and Twitter in particular. During one of the more high-profile BlackMatter incidents in September 2021, the ransom note was leaked. Ransom notes, including BlackMatter’s, contain critical information intended for the victim only, including instructions on how to reach out and communicate with the threat actor. Consequently, anybody who has access to a note can interact with the gang as though they were the victim. The broad Twitter infosec community quickly picked up on the leak, got their hands on the private link intended for the victim only, and started to hijack the negotiations being held on the BlackMatter communication platform. Soon, both the victim and the BlackMatter operators were confronted with an onslaught of insults and trolling behavior. In addition, screenshots of the conversations were taken and circulated within the Twitter community, which caused even more people to join the “fun”, quickly derailing any sort of intelligence gathering by law enforcement and security researchers in the process.”

It would not take long for BlackMatter operatives to realize that they had been compromised in some way and they completely shut down communications to prevent further mishaps. However, this does not appear to be the end of the bad news for the organization, and laying low might not be the solution to their problems after all.

On November 4, 2021, the US State Department announced that it will be offering a reward of up to 10 million USD for information that leads to the positive identification and or location of where BlackMatter’s leadership is or who they are. Further, there is also a 5 million USD reward for information that can lead directly to an arrest or conviction of any individual who conspired to or attempted to in a “DarkSide variant ransomware incident.”

The use of the “DarkSide variant” language is interesting in that BlackMatter is believed to be a variant of the DarkSide. After the affiliates of the DarkSide ransomware gang successfully caused the Colonial Pipeline incident the amount of public attention resulted in government agencies having to react.

The increased pressure forced DarkSide to lay low and a few months later emerged as BlackMatter. The language used by the US State Department shows that they believe the link between the two groups to be legally tangible enough that they are one and the same. Importantly, those involved in DarkSide operations are still on the hook for past indiscretions.

Law Enforcement Taking On Ransomware

Towards the end of October, it became apparent that law enforcement agencies across the globe were closing in on those affiliated to and directly involved with several ransomware gangs. In a statement released by Europol, the law enforcement agency 12 suspects from the Ukraine and Switzerland have been targeted for their role’s in distributing LockerGoga, MegaCortex, Dharma, and other ransomware attacks against organizations in 71 countries.

As to whether the suspects had been arrested is unclear as a spokesperson for the law enforcement agency said judicial proceedings are still ongoing.

It was also noted that the suspects are believed to have various different roles in "aggressive" criminal organizations responsible for encrypting networks with ransomware and demanding a payment in exchange for the decryption key. Further, over 52,000 USD in cash was seized, alongside five luxury cars. A number of computers have also been seized and are being examined in order to secure evidence and identify new leads.

Also recently Sodinokibi again announced that it would be ceasing operations. At the time of the announcement security researchers speculated that US law enforcement may have had a hand in the ransomware’s gang decision. There were strong arguments to suggest this but at the time it could only be considered speculation.

On November 3, 2021, the Washington Post published an article that strongly suggests the US Cyber Command and another foreign government organization had a hand in targeting servers known to be under the control of the ransomware’s leaders. This spooked the leaders and forced them to close up shop in an attempt to hide their identities.

Given that BlackMatter’s code base had been compromised by security researchers in order to find flaws and law enforcement has turned a corner in targeting ransomware operators, BlackMatter announcing that it is ceasing operations may be the wise thing if its developers and affiliates wish to avoid jail time.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal