The ransomware threat actors allow associates to obtain decryption tools for existing negotiations as part of this shutdown, enabling them to keep extorting victims.
As explained by BleepingComputer, while BlackMatter’s infrastructure remains operational, the operation’s affiliates are transferring current victims to the LockBit ransomware negotiation site.
In BlackMatter negotiation chats that already exist, affiliates are directing victims to LockBit’s Tor sites, where new negotiation pages are created specifically for them. The BlackMatter affiliates continue to negotiate with victims on these LockBit negotiation pages in order to obtain the requested ransom.
BlackMatter is still shutting down, with today’s operations consisting of removing their profile from Russian hacking forums.
BlackMatter’s cleanup actions have been monitored by security expert pancak3lullz, who discovered that the group withdrew 4 Bitcoins ($250,000) from the Exploit hacking site today and deleted their account.
With the removal of the REvil and BlackMatter ransomware operations, LockBit has grown to become one of the largest and most successful ransomware organizations operating today.
At this point it’s not clear whether core group members are ‘unavailable’ because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that’s a sign that saber rattling appears to be helping. But we shouldn’t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month.
This was already hurting relationships with affiliates. It’s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.