BlackMatter Ransomware Group Closure

Article by • November 15, 2021

Explore More

Why we’re Staying Alert after BlackMatter Ransomware Group Closure

On 3rd November, Bleeping Computer reported that the BlackMatter Ransomware-as-a-Service group had posted a message alerting users that its operations were ceasing within 48 hours. The message advised affiliates to obtain their decryption keys so that they could continue to extort current victims.

According to the message, BlackMatter had experienced “pressure from the authorities” and “part of the team is no longer available.” Industry observers have linked this announcement to the international law enforcement effort to hunt down Ransomware gangs following the high profile attacks on the Colonial Pipeline and Norsk Hydro, which culminated in the co-ordinated arrests of 12 hackers on the 26th October in Switzerland and Ukraine.

Cyber security reporters have speculated whether this is the end of the BlackMatter gang, or whether the members would simply rebrand. In my view, if they have learned anything from the actions of the REvil gang, the individual members of BlackMatter will go their separate ways to avoid attracting more attention from law enforcement.

BlackMatter Ransomware Group Closure

Growing Gangs

It is likely that individual members will join other gangs or start freelancing for the larger gangs. Conti is currently one of the more attractive gangs, as (according to an investigation by CISA) it pays freelancers a wage as opposed to commission based on ransom gained from a successful attack. Alternatively, by recruiting through online forums such as RAMP, it’s more than likely that former BlackMatter members will form their own gangs. The ransomware ecosystem is a lot like a Hydra – cut off one head, and two more appear in their place. 

While the core members may well wish to keep going, we expect that the gang would be significantly restructured. Using any of the old codebases for the ransomware would be a risk in itself, as that would be a big giveaway to the international cyber community that BlackMatter is operating again and would invite another intervention from law enforcement agencies in Europe, Ukraine, the US and UK.


In conclusion, while this international law enforcement action appears to have been successful in disrupting BlackMatters, businesses cannot afford to lower their guard. The remaining members of the gang will regroup and return to their activities.

As we wrote in the wake of the Colonial Pipeline ransomware attack, which wreaked havoc on fuel supplies to the US East coast, the tactics used to breach the organisation could have been thwarted with a combination of proper VPN configuration, use of multi-factor authentication and Dark Web Monitoring to understand whether company credentials had been leaked and could be weaponised to attack the network.

Whatever name ransomware gangs go by, their tactics are broadly similar and therefore a range of standard defences can be applied using secure configuration and monitoring services, as well as bespoke services tailored to your organisation. Contact us for further information on how we can help to discover loopholes in your defences and close them before bad actors test the locks.


Bleeping Computer, ‘BlackMatter ransomware group claims to be shutting down due to police pressure,’ 3rd November 2021


Liam is one of the senior consultants at Pentest People, with a wide range of skills and experience from Web Applications to Social Engineering he's able to give great comments and opinions on cybersecurity matters.