BlackMatter Ransomware Moves Victims to LockBit After Shutdown
With the BlackMatter ransomware operation shutting down, existing affiliates are moving their victims to the competing LockBit ransomware site for continued extortion.
This morning, news broke that the BlackMatter ransomware gang is shutting down after members have gone missing and increased pressure by law enforcement.
As part of this shutdown, the ransomware operators are allowing affiliates to receive decryptors for existing negotiations so that they can continue extorting victims.
While BlackMatter’s infrastructure is still live, BleepingCompuer has learned that affiliates are moving existing victims to the LockBit ransomware negotiation site.
In existing BlackMatter negotiation chats, affiliates are providing victims links to LockBit’s Tor sites where new negotiation pages have been setup for them.
At these LockBit negotiation pages, the BlackMatter affiliates continue to negotiate with victims to receive a ransom payment.
As for BlackMatter, they are continuing their shut down, with today’s activities being to delete their presence from Russian-speaking hacking forums.
Security researcher pancak3lullz has been following BlackMatter’s cleanup activities, showing that the gang withdrew 4 Bitcoins (~$250,000) today from the Exploit hacking forum and deactivated their account.
The gang has also been editing their existing posts on forums and asking moderators to delete them.
With REvil and BlackMatter now shut down, LockBit has become one of the largest and most successful ransomware operations running today.
The LockBit representative known as ‘LockbitSupp’ has shown to be a savvy threat actor who constantly adjusts tactics to recruit new affiliates, especially as established operations shut down.
While BlackMatter will likely rebrand and return as a new ransomware operation, their partnership with LockBit may hurt them in the long run as they lose experienced affiliates.