Following Its Shutdown, the BlackMatter Ransomware Gang Transfers Victims to LockBit
BlackMatter Transfers Its Victims Over the LockBit Ransomware Website to Continue Negotiating Ransom Payments.
Yesterday we announced that due to pressure from authorities and recent law enforcement operations, BlackMatter decided to shut down its activities.
According to BleepingComputer, following the shutdown, BlackMatter developers have already started transferring victims to the LockBit ransomware website to continue negotiating ransom demands.
The ransomware group that calls itself BlackMatter claims to be a successor to now-defunct Darkside and REvil, two other notorious ransomware threat actors responsible for the cyberattacks on Colonial Pipeline and Kaseya.
The ransomware threat actors allow associates to obtain decryption tools for existing negotiations as part of this shutdown, enabling them to keep extorting victims.
As explained by BleepingComputer, while BlackMatter’s infrastructure remains operational, the operation’s affiliates are transferring current victims to the LockBit ransomware negotiation site.
In BlackMatter negotiation chats that already exist, affiliates are directing victims to LockBit’s Tor sites, where new negotiation pages are created specifically for them. The BlackMatter affiliates continue to negotiate with victims on these LockBit negotiation pages in order to obtain the requested ransom.
BlackMatter is still shutting down, with today’s operations consisting of removing their profile from Russian hacking forums.
BlackMatter’s cleanup actions have been monitored by security expert pancak3lullz, who discovered that the group withdrew 4 Bitcoins ($250,000) from the Exploit hacking site today and deleted their account.
— панкейк (@pancak3lullz) November 3, 2021
In addition, the hacker group has been changing its existing forum posts and requesting that they be removed by admins.
With the removal of the REvil and BlackMatter ransomware operations, LockBit has grown to become one of the largest and most successful ransomware organizations operating today.
At this point it’s not clear whether core group members are ‘unavailable’ because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping. But we shouldn’t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month.
This was already hurting relationships with affiliates. It’s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.