Black Matter, a DarkSide Offshoot Hacker Group, Closes Shop

blackmatter ransomware malware

The Black Matter ransomware gang, believed to be an offshoot of the DarkSide group, announced that it's shutting down all its services and infrastructure.

The announcement was publicized by the vx-underground Twitter account. Vx calls itself the "largest collection of malware source code, samples and papers" online.

The post was screencapped by vx-underground and is in Russian. It states that due to "unsolvable circumstances" and increased pressure from the authorities, an essential part of the ransomware gang's "team" is missing. The post also states that Black Matter is quitting as a result of "recent news". There is no explicit explanation of what this news is, but combined with the statement that an essential gang member is "unavailable", this could mean that a core member of the hacker group has been arrested.

Black Matter used the posting to inform their affiliates that within 48 hours all infrastructure will be shut down, allowing third parties working the ransomware to only use emails to communicate with victims and ask for decryption tools in the company chats provided by Black Matter.

The consensus is that Black Matter is a rebranding of the DarkSide group, which was forced to lay low after the botched-up attack on Colonial Pipeline. This particular hack job caused a massive fuel shortage in the eastern parts of the US and caused massive backlash from the FBI and other authorities. Even though DarkSide blamed their affiliates for trying to bite off more than anyone can chew, the entire ransomware gang seemed to disappear under pressure.

A few weeks later, Black Matter emerged, using similar tools and tactics, and believed to be an offshoot formed by DarkSide members.

Ransomware gangs have faced unprecedented backlash and combined pressure from authorities acting internationally. A combined effort by the US Cyber Command and several other countries' governments led to the takedown of the REvil ransomware gang just a few days ago. A week after this event, Ukrainian residents who were behind several other strains of ransomware were arrested by Europol.

It would seem the massive pressure exerted by multiple countries' authorities has put ransomware gangs on the run, despite a recent effort by the Russian-language Groove cyber gang to rally the remaining threat actors and encourage them to attack US targets. Whether this is yet another temporary lull and the Black Matter ransomware gang will resurface under a different name remains to be seen.