BlackMatter claims to be a successor of the now-defunct Darkside and REvil ransomware threat actors, who were responsible for the hacks on Colonial Pipeline and Kaseya, respectively.

What Happened?

Due to pressure from authorities and recent law enforcement operations, BlackMatter is apparently shutting down its activities.

The BlackMatter ransomware-as-a-service operation began with the particular goal of compromising business networks in the United States, Canada, Australia, and the United Kingdom that had a turnover of at least $100 million.

Ransomware-as-a-Service is an illegal ‘parent-affiliate(s)’ business architecture in which operators (i.e., harmful software owner and/or creator) provide tools to affiliates (i.e., customers) for the purpose of carrying out ransomware attacks, as Vladimir explains.

Customers may opt to split a piece of the profit with the RaaS provider, hold the earnings for themselves, or enroll in a pay-per-use plan that grants them access to updates, new harmful versions, and experimental features, depending on the contractual arrangement.

Affiliates can interact with the core operators, create support issues, and get fresh ransomware builds using BlackMatter’s private ransomware-as-a-service (RaaS) website.


A screenshot of a statement reportedly uploaded by the BlackMatter operators on the RaaS website on November 1st was supplied to security research firm VX-Underground today. Affiliates are warned in this article that the ransomware operation will be shut down in 48 hours.

Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) – project is closed.

After 48 hours the entire infrastructure will be turned off, allowing:

 * Issue mail to companies for further communication
* Get decryptor. For this write “give a decryptor” inside the company chat, where necessary.

We wish you all success, we were glad to work.


As explained by BleepingComputer, it’s unclear what “latest news” means, but the missing team members might be linked to a recent worldwide law enforcement operation that apprehended twelve people in association with 1,800 ransomware attacks across 71 states.

If this report is true, and BlackMatter is shutting down, it does not indicate that threat actors will stop extorting existing victims.

Even if BlackMatter shuts down its operation, it’s very possible to see them resurface as a different group in the future, as it is common for ransomware gangs to shut down their operations and relaunch under a new name when they are pressured by law enforcement or target a highly sensitive organization.

If you liked this article, make sure you follow us on LinkedInTwitterYouTubeFacebookand Instagramto keep up to date with everything cybersecurity.

Companies Affected by Ransomware [2022-2023]

Ransomware Payouts in Review: Highest Payments, Trends & Stats

Ransomware Explained. What It Is and How It Works

Ransomware-as-a-Service (RaaS) – The Rising Threat to Cybersecurity

BlackMatter Ransomware Claims to Be a Successor to DarkSide and REvil

Leave a Reply

Your email address will not be published. Required fields are marked *