On Tuesday, the ransomware group BlackMatter told affiliates it would shut down operations due to law enforcement pressure. A Russia-based group, BlackMatter's reasons would imply some of the international community's efforts to get Russia to enforce cybercrime laws were bearing fruit. Not so fast, say experts.
"There's no doubt that the recent surge in focused operations against ransomware infrastructure and groups by the U.S. and international law enforcement community has had an effect, [but] it is unclear if the impact of government-led actions will force BlackMatter out of existence or just cause them to go quiet and re-emerge months from now with a new brand," said Mike DeBolt, chief intelligence officer of Intel 471.
International cooperation, particularly from nations known to harbor cybercriminals, has long been a sticking point in the fight against ransomware. Ransomware groups based in Russia have traditionally enjoyed a tacit understanding with the government that if they do not victimize Russians, they will not be pursued by law enforcement. A study in September from Chainalysis noted that 90% of ransoms were paid to ransomware specifically designed to avoid Russian-speaking victims.
After the high profile ransomware attacks in early 2021, as ransomware policy debates in the United States began to heat up, attention began to shift to Russia. The Biden administration began to push Moscow to punish crime at home — with Russia publicly agreeing to help after a summit between the United States and Russian presidents.
BlackMatter's swan song was first reported by VX Underground, who translated a Russian language communication from the group to its affiliates: "Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available). After 48 hours, the entire infrastructure will be turned off."
But DeBolt and others caution against taking BlackMatter at its word over why it is going out of business.
"There's a kind of pattern of practice of these groups were they supposedly close up shop but then pop up again three weeks later," said Megan Stifel, chief strategy officer at the Institute for Security and Technology and a co-chair of the multistakeholder research group the Ransomware Task Force.
BlackMatter, for example, has done this once before. Until this summer, the group is widely believed to have been operating as DarkSide, the ransomware group most famous for disrupting the Colonial Pipeline. DarkSide, too, had abruptly exited the market amid international attention after Colonial Pipeline briefly shutdown. Alongside REvil's attacks on JBS and Kaseya, mainstream headlines over attacks had made for an inhospitable environment for any ransomware group to operate — particularly one in the spotlight. Cybercrime forums kicked ransomware operators off.
On Wednesday, over 24 hours after the BlackMatter announcement, the State Department announced a $10 million bounty on information leading to the identification or capture of DarkSide leadership. While there is no reason to assume the group knew in advance they would receive this kind of direct pressure, the amount of global cooperation to crack down on ransomware has been rising steadily. REvil, for example, was hacked by law enforcement, the head of U.S. CyberCom announced a surge against ransomware groups, and Europol has been more aggressive.
As for Russian cooperation, Stifel said to wait for a consistent pattern before believing there will be a continued effort.
"The proof with Russia is never the near-term signs of success. It's longer-term indicia of impact," she said.
Experts are more cautious than optimistic about what the Black Matter announcement could mean. But there is some hope to be cautiously optimistic.
"We don’t know for sure, and time will tell, but for now this is at least a potentially positive development," said David Kris, former assistant attorney general for the National Security Division of the Department of Justice and founder of the Culper Partners consulting group.
