article featured image


Yesterday we announced that due to pressure from authorities and recent law enforcement operations, BlackMatter decided to shut down its activities.

According to BleepingComputer, following the shutdown, BlackMatter developers have already started transferring victims to the LockBit ransomware website to continue negotiating ransom demands.

The ransomware group that calls itself BlackMatter claims to be a successor to now-defunct Darkside and REvil, two other notorious ransomware threat actors responsible for the cyberattacks on Colonial Pipeline and Kaseya.

The ransomware threat actors allow associates to obtain decryption tools for existing negotiations as part of this shutdown, enabling them to keep extorting victims.

As explained by BleepingComputer, while BlackMatter’s infrastructure remains operational, the operation’s affiliates are transferring current victims to the LockBit ransomware negotiation site.

In BlackMatter negotiation chats that already exist, affiliates are directing victims to LockBit’s Tor sites, where new negotiation pages are created specifically for them. The BlackMatter affiliates continue to negotiate with victims on these LockBit negotiation pages in order to obtain the requested ransom.

BlackMatter affiliate transfering victim to LockBit site


BlackMatter is still shutting down, with today’s operations consisting of removing their profile from Russian hacking forums.

BlackMatter’s cleanup actions have been monitored by security expert pancak3lullz, who discovered that the group withdrew 4 Bitcoins ($250,000) from the Exploit hacking site today and deleted their account.

In addition, the hacker group has been changing its existing forum posts and requesting that they be removed by admins.

BlackMatter deleting posts on hacking forums


With the removal of the REvil and BlackMatter ransomware operations, LockBit has grown to become one of the largest and most successful ransomware organizations operating today.

At this point it’s not clear whether core group members are ‘unavailable’ because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping. But we shouldn’t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month.

This was already hurting relationships with affiliates. It’s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.


If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo