Distributors of BlackMatter ransomware have announced plans to shut down amid mounting pressure from law enforcement.

VX-Underground, a security research group, was sent a screenshot of a message allegedly posted by the BlackMatter operators on November 1st on their site. The post warns affiliates that the ransomware operation was shutting down in 48 hours.

The group, according to BleepingComputer, wrote, "Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news), the project is closed. After 48 hours, the entire infrastructure will be turned off, allowing:

  •  Issue mail to companies for further communication
  • Get decryptor. For this, write "give a decryptor" inside the company chat, where necessary.

We wish you all success, we were glad to work," 

Though it is unclear which "news" the group refers to, it could be related to an international law enforcement operation conducted by Europol, which resulted in the arrest of 12 individuals allegedly linked to ransomware attacks against 1,800 victims in 71 countries. 

Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, says, "At this point, it's not clear whether core group members are "unavailable" because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that's a sign that saber-rattling appears to be helping. But we shouldn't forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month. This was already hurting relationships with affiliates. It's not hard to imagine given the strained operations model, and it might not take much pressure from authorities for core BlackMatter members to hang up their hats."

The ransomware-as-a-service site will allow affiliates to receive decryptors for existing victims so they can continue to extort victims, BleepingComputer reports. 

Xue Yin Peh, a Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, explains, "We have seen this phenomenon with a few ransomware groups now — DarkSide, Avaddon, and Egregor are just some examples of groups that folded their operations following the after-effects of a prominent attack."

She adds, "Although BlackMatter's announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter:

  • Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities,
  • Member or affiliates are absorbed into the ransomware-as-a-service programs of other groups, or
  • BlackMatter will rebrand into a new program under another name

"Given how highly lucrative ransomware operations are, it is unlikely that those behind BlackMatter will cease operations entirely. An eventual rebranding seems more probable, but how soon this will happen remains to be seen. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools, and then re-emerge with a new and improved payload."