Further to the news that ransomware group BlackMatter, has ceased operations, many security experts are concerned that the group has not fully disappeared.
To canvass opinion, Digital Journal caught up with r George Glass, Redscan head of threat intel and Dr Süleyman Özarslan, co-founder of Picus Security and head of Picus Labs.
Picus is a Turkish security company specialising in simulating the attacks of cybercriminal gangs (including BlackMatter and DarkSide before them).
What was BlackMatter?
BlackMatter was a relatively new ransomware threat discovered at the end of July 2021.
This group started with a run of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide. According to McAfee Enterprise Advanced Threat Research (ATR), the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the U.S. government and law enforcement agencies around the world.
The main goal of BlackMatter was to encrypt files in the infected computer and demand a ransom for decrypting them. The goal is to steal files and private information from compromised servers and request an additional ransom to not publish on the Internet.
Dr Süleyman Özarslan, Picus Security
According to Özarslanwe can expect the same hacker group to return in a different guise,: “BlackMatter is operated by the same criminals behind the DarkSide ransomware gang so it’s highly likely that the perpetrators will reform under a different guise.”
This occurs, says Özarslan because: “Ransomware gangs are highly resilient and typically rebrand in 6-month cycles. After the Colonial Pipeline attack, for example, Darkside was banned from many cybercrime forums for attacking a provider of critical infrastructure – prompting the decision to reform under a new name.”
These rogue actors are driven by “The high financial returns from ransomware attacks”, which leads Özarslan to conclude: “It’s reasonable to assume that the BlackMatter ransomware gang will not stop anytime soon, despite growing pressure from authorities.”
George Glass, Redscan
Glass takes a similar view to Özarslan , explaining: “I expect this is BlackMatter saying au revoir, not goodbye. These kinds of announcements rarely mean that a gang is gone for good, they may simply be laying low after extremely high-profile campaigns and mounting pressure from the police. We will probably see them or at least some of their members reappear in the future under a different name, or with a different MO. We will certainly see the same methods being applied at scale by other operators, whether that involves BlackMatter members or not.”
Citing a prominent example, Glass says: “REvil is a prime example that ransomware gangs frequently come and go. When gangs disband, some actors retire. However, in many cases they simply reform under another guise or members within them move into other gangs. It’s very a big game of whack-a-mole.”
Glass regards the ransomware world as a bit of a see-saw: “The level of attention that groups receive from the authorities is often a key determining factor in actors deciding to scaling back their operations. However, as with any type of crime, there will most likely be actors who are still willing to take risks, maybe because they are outside of the jurisdiction of authorities or simply because they do not believe they will be caught.”