BlackMatter Ransomware Operation Shuts Down

Law enforcement agencies around the world have stepped up their efforts to disrupt ransomware gangs in recent months. The infrastructure of the notorious REvil ransomware gang was recently compromised by law enforcement in an international operation, Europol announced a dozen key members of ransomware gangs had been arrested in Ukraine and Switzerland, and now the BlackMatter ransomware gang has announced it is shutting down its ransomware-as-a-service operation.

On November 1, 2021, VX-Underground received a screenshot of a message allegedly posted to the BlackMatter RaaS web portal which announced to affiliates that the RaaS operation would be shut down within 48 hours due to pressure from law enforcement. VX-Underground said the screenshot was sent to them by someone who claimed to be a BlackMatter affiliate.

The post said due to unsolvable circumstances associated with law enforcement activity, part of its team is no longer available and, as such, the project is closed. The group said that within 48 hours its entire infrastructure would be turned off. The post appeared to suggest that any affiliates who had succeeded in using the ransomware to encrypt files on victims’ networks would still be able to obtain the decryptors so they could monetize the attacks on their own.

Based on the scant information provided in the post it is unclear whether key members of the operation have been arrested or if key team members decided to call it quits due to ongoing law enforcement operations. It is possible that the shutdown is tied to the recent arrests made in the international law enforcement operation coordinated by Europol. That operation saw individuals arrested who were suspected of providing specialized services related to attacks, including initial intrusions, lateral movement, and money laundering and cashing out.

Europol said the 12 individuals were believed to have assisted with more than 1,800 ransomware attacks using ransomware variants such as LockerGoga, MegaCortex, and Dharma. No mention was made by Europol about BlackMatter ransomware attacks, although individuals involved in ransomware attacks are known to work with multiple ransomware operations.

Given the large sums of money earned by ransomware gangs, it is unlikely that the threat actors behind BlackMatter ransomware will simply quit. More likely, they will return with a new ransomware-as-a-service operation in the coming weeks.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of