Privacy Ninja

BlackMatter Ransomware Moves Victims to LockBit After Shutdown

BlackMatter Ransomware Moves Victims to LockBit After Shutdown

With the BlackMatter ransomware operation shutting down, existing affiliates are moving their victims to the competing LockBit ransomware site for continued extortion.

This morning, news broke that the BlackMatter ransomware gang is shutting down after members have gone missing and increased pressure by law enforcement.

As part of this shutdown, the ransomware operators are allowing affiliates to receive decryptors for existing negotiations so that they can continue extorting victims.

Also Read: Facts About Accountability PDF That You Need to Know About

While BlackMatter’s infrastructure is still live, BleepingCompuer has learned that affiliates are moving existing victims to the LockBit ransomware negotiation site.

In existing BlackMatter negotiation chats, affiliates are providing victims links to LockBit’s Tor sites where new negotiation pages have been setup for them.

BlackMatter affiliate transfering victim to LockBit site
BlackMatter affiliate transfering victim to LockBit site
Source: BleepingComputer

At these LockBit negotiation pages, the BlackMatter affiliates continue to negotiate with victims to receive a ransom payment.

As for BlackMatter, they are continuing their shut down, with today’s activities being to delete their presence from Russian-speaking hacking forums.

Security researcher pancak3lullz has been following BlackMatter’s cleanup activities, showing that the gang withdrew 4 Bitcoins (~$250,000) today from the Exploit hacking forum and deactivated their account.

Also Read: 5 Brief Concepts Between Data Protection Directive vs GDPR

Deactivating accounts on hacking forums
Source: pancak3lullz

The gang has also been editing their existing posts on forums and asking moderators to delete them.

BlackMatter deleting posts on hacking forums
BlackMatter deleting posts on hacking forums
Source: pancak3lullz

With REvil and BlackMatter now shut down, LockBit has become one of the largest and most successful ransomware operations running today.

The LockBit representative known as ‘LockbitSupp’ has shown to be a savvy threat actor who constantly adjusts tactics to recruit new affiliates, especially as established operations shut down.

While BlackMatter will likely rebrand and return as a new ransomware operation, their partnership with LockBit may hurt them in the long run as they lose experienced affiliates.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us