Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Expert comments on BlackMatter ’shutting down operations’

November 2021 by Experts

Following the news BlackMatter are shutting down operations, cyber experts share the following comments:

David Sygula, Senior Cybersecurity Analyst at CybelAngel comments:
“Although no clear confirmation has been made by the group so far, their leaking website is offline. There’s always a bit of a mystery when a group stops their activity, the reasons are never clear, but either way there is little chance that it means the end of the group.

A rebranding sounds like a good option and it’s also what is to be expected. Every time a group catches too much attention, it’s easier to rebrand and start from scratch - or so it seems - to blur their tracks. But being ironically victims of their own success and no matter under what name, they will come back, and we will quickly make the link with their previous operations. Their name may change, but their techniques won’t.”

Callum Roxan, Head of Threat Intelligence at F-Secure comments:
“As BlackMatter is widely considered to be a rebranded group of DarkSide, that similarly "shut down" due to external pressures, it is certainly possible the group could rebrand again and continue to operate. However, the BlackMatter announcement does suggest that some group members may no longer be at liberty to operate as cyber-criminals and this could cause the remaining members to splinter or find other pursuits due to the heat they may be feeling from external parties. In the wider picture, there remains a number of active Ransomware-as-a-Service (RaaS) operators and affiliates that ex-BlackMatter members can look to operate with going forward if they wish.”

Calvin Gan, Senior Manager with F-Secure’s Tactical Defense Unit comments:
“When a ransomware group shuts, affiliates are now free to join other groups or rivals to continue their operations. BlackMatter running a Ransomware-as-a-Service model and announcing a shutdown would indicate they are no longer providing the actual ransomware encryption service. The developers behind the ransomware are typically highly skilled and if they have not been identified by authorities, they could potentially live a normal life joining a corporate organization or move on to join another group.

When a ransomware group announces a shutdown, they have been known to release a master decryption key to the public before calling it quits. BlackMatter has done just that in their announcement, and it is likely victims of BlackMatter will soon be able to obtain a decryptor. However, BlackMatter has been assumed to be an incarnation of DarkSide ransomware (responsible for Colonial Pipeline attack) who also announced a shutdown after increased attention from authorities and government. With BlackMatter now shutting down after just a few months of operations, it does seem to indicate that law enforcement may have already known the identity of the group members, and this was realized by the group.

With recent arrests and takedowns of different ransomware groups (REvil infrastructure taken down, Europol detaining a Ukrainian group linked to a few ransomware attacks), it is probably a proactive step for these ransomware groups to lay low for the moment. This shouldn’t be seen as the end because the financial motivation behind these attacks is probably far too large for them to give up easily. At the same time, there are still other active ransomware groups that are operating so organizations and defenders should not be taking a breather, but focus on disrupting them further.

It would not be surprising if this particular group rebrands in later months, as this would not be the first time nor the first group who has rebranded (eg. REvil a rebrand of GandCrab, Conti ransomware being the successor of Ryuk or Karma ransomware likely a rebrand of Nemty ransomware).”


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts