Attacks and Vulnerabilities
Critical infrastructure
Industries
Interview
Management & Strategy
News

BlackMatter ransomware group goes under, after pressure from authorities

November 04, 2021
BlackMatter

A message posted on Twitter on Wednesday said that the BlackMatter ransomware group will be shutting down operations after facing ‘certain unsolvable circumstances associated with pressure from authorities (part of the team is no longer available, after the latest news) – the project is closed. After 48 hours, the entire infrastructure will be turned off.’

The message further added that the ransomware group is allowed to issue mail to companies for further communication, and get decryptors, for this write ‘give a decryptor’ inside the company chat where they are needed.

These details were provided by ‘vx-underground’ on Twitter after it was translated from a Russian source. Vx-underground provides the largest collection of malware source code, samples, and papers on the internet.

Paul Veeneman, President and COO, Beryllium InfoSec Collaborative

Paul Veeneman, President and COO, Beryllium InfoSec Collaborative

Cybersecurity expert Paul Veeneman told Industrial Cyber that the pressure came from an international coalition that included Europol, Norway, France, the Netherlands, Ukraine, the U.K., Germany, Switzerland, and the U.S.

“The collective activities of the aggregate international law enforcement community resulted in the apprehension of 12 suspects, allegedly responsible for participation in well over 1,500 ransomware cyber attacks globally,” according to Veeneman. BlackMatter has been one of the most prolific ransomware gangs on record, extorting on an average US$5.3 million per exploit, with an estimated total revenue (as this is a business model), in the hundreds of millions of dollars, in approximately four months. That level of impact, on a global scale, is going to galvanize a global response, which is likely the ‘pressure’ referenced by BlackMatter, he added.

Last month, U.S. security agencies had issued a joint cybersecurity advisory notifying organizations of cyber attackers using the BlackMatter ransomware that could potentially target multiple critical infrastructure entities. The joint advisory provided details on the tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment, as well as from trusted third-party reporting. It also outlined mitigations to help improve ransomware protection, detection, and response. Since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two U.S. food and agriculture sector organizations, the advisory pointed out.

Ransomware attacks have disrupted the lives of countless Americans, as attackers have both, directly and indirectly, targeted critical infrastructure owners and operators. Incidents have included a ransomware attack on the networks at fuel pipeline company Colonial Pipeline, which led the company to take certain systems offline. After that, JBS USA, a large beef supplier, paid a ransom to malicious cyber actors who had infiltrated their networks and threatened the U.S. meat supply.

Ransomware is a business model, with a marketplace, producers, and consumers, subject to many of the same principles that govern today’s industry, Veeneman said. “BlackMatter may show us that Facebook isn’t the only successful organization that occasionally needs to pivot and rebrand itself,” he added.

However, ‘rebranding’ as a global criminal enterprise, represents more of a retooling, refinement, and resurgence, as witnessed previously…DarkSide and REvil formed BlackMatter, DoppelPaymer became Grief, Avaddon became Haron, SynAck became El Cometa, according to Veeneman. “In fact, Conti appears to be the one constant, with activity as recent as October, demonstrating consistency in research and analysis of targets, methods of exploit, and evasion of law enforcement. It remains to be seen where BlackMatter resurfaces and in what form,” he added.

The announcement from BlackMatter that they are shutting down operations due to pressure from authorities should be met with skepticism, at best, Mark Carrigan, cyber vice president, process safety and OT cybersecurity at Hexagon PPM, wrote in an emailed statement.

“This would not be the first time that they, and others, have made such an announcement only to resurface at a later date. BlackMatter and others have developed a lucrative business model with almost no recriminations. Until there is real pressure, and cooperation from international governments, these criminal enterprises will continue to operate with impunity,” he added.

Veeneman warned that the U.S. critical infrastructure sectors and industries need to remain vigilant in a public/private commitment to cyber resilience – a trend which has been demonstrated by recent directives from the administration of U.S. President Joe Biden and the Cybersecurity and Infrastructure Security Agency (CISA), to address and resolve cyber security vulnerabilities within not only federal agencies but also private critical infrastructure entities across the United States.

“The vast threat landscape, essentially the Internet…which is a pretty big place, offers existing and emerging criminal organizations the resources to operate,” Veeneman said. “But consistent, constant, and collaborative pressure from a unified global law enforcement initiative certainly provides the foundation for improving the situation we find ourselves in currently,” he added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation