BlackMatter ransomware group announces shutdown. But for how long?

BlackMatter ransomware group announces shutdown. But for how long?

The BlackMatter ransomware gang has announced they are going to shut down their operation, citing pressure from local authorities.

And pressure there is. Only two weeks ago, we wrote about a warning that the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) had issued over BlackMatter ransomware.

Missing staff

One revealing sentence in the posted message says that “part of the team is no longer available, after the latest news.” This could well be a reference to an announcement made by Europol last week, after it arrested 12 individuals “wreaking havoc across the world with ransomware attacks against critical infrastructure.”

Even though the announcement does not mention BlackMatter specifically, it says these individuals were known to have deployed LockerGoga, MegaCortex and Dharma ransomware, among others. And as we have published before, most of the major ransomware gangs are connected somehow.

The BlackMatter business model

BlackMatter is a ransomware-as-a-service (RaaS) that allows the developers to profit from cybercriminal affiliates who deploy it against victims. BlackMatter is a possible rebrand of DarkSide, and has some similarities to REvil. Both DarkSide and REvil have had to shut down.

It would not come as a surprise if the group decides to make some sort of comeback. This may be with an “improved” product, new staff, rebrand, or all three. Time will tell, but it is unlikely that the business model that allowed them to make a fortune, will be completely abandoned.

One of the disadvantages for such groups is that affiliates are unlikely to wait for a rebirth of the group and may flock to other groups rather than wait for BlackMatter to come back in some form.

How to protect yourself from ransomware

Last month, CISA published a joint Cybersecurity Advisory about BlackMatter Ransomware. The CISA alert lists technical details in the form of Tactics, Techniques, and Procedures (TTPs) based on the MITRE ATT&CK for Enterprise framework, detection signatures, and mitigations.

Most of the mitigation strategies will look very familiar to our regular readers, but it’s always worth repeating them. And you may spot some new ones.

  • Use strong and unique passwords. Passwords should never be reused across multiple accounts or stored on a system where an adversary may gain access. Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each individual administrative account.
  • Implement and require Multi-Factor Authentication (MFA) where possible, and especially for webmail, virtual private networks, and accounts that access critical systems.
  • Patch and update. Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Limit access to resources over the network. Remove unnecessary access to administrative shares, restrict privileges to only the necessary service or user accounts and perform continuous monitoring for anomalous activity. Use a host-based firewall to only allow connections to administrative shares via Server Message Block (SMB) from a limited set of administrator machines.
  • Implement network segmentation and traversal monitoring. This will hinder an adversary from learning the organization’s enterprise environment. Many attackers use system and network discovery techniques for network and system mapping.
  • Implement time-based access for accounts set at the admin-level and higher. BlackMatter operatives used compromised credentials during non-business hours, allowing them to go undetected for longer periods.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities that run from the command line.
  • Implement and enforce backup and restoration policies and proceduresDoing backups right is not as easy as some may think. Make sure they are recent, cannot be altered or deleted, and cover the entire organization’s data infrastructure.

Furthermore, CISA, the FBI, and NSA urged critical infrastructure organizations to apply the following additional mitigations to reduce the risk of credential compromise:

  • Disable the storage of clear text passwords in LSASS memory.
  • Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
  • Implement Credential Guard for Windows 10 and Server 2016.
  • Minimize the Active Directory (AD) attack surface to reduce malicious ticket-granting activity. Ticket Granting services can be used to obtain hashed credentials that attackers attempt to crack or use in pass-the-hash methods.

Stay safe, everyone!


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.