Share this article on:
In September 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued an advisory to the health sector about an elevated threat of BlackMatter ransomware attacks. A few days ago, a second advisory was issued stating the threat level has been reduced to Blue/Guarded. HC3 said the ransomware-as-a-service (RaaS) operation appears to have been shut down and there have been no further victims listed on the BlackMatter RaaS data leak site since October 31, 2021.
The BlackMatter ransomware operation is believed by many security experts to be a rebranding of the DarkSide ransomware gang, which conducted the ransomware attack on Colonial Pipeline in May 2021 that disrupted fuel delivery to the Eastern Seaboard. The DarkSide operation was shut down shortly after the Colonial Pipeline attack, and BlackMatter ransomware attacks started in July 2021. Approximately half of the attacks conducted by the BlackMatter ransomware gang were on entities based in the United States, including at least four healthcare organizations – A pharmaceutical consulting company, a medical testing & diagnostics company, and a dermatology clinic.
On November 1, 2021, a member of the BlackMatter ransomware operation claimed the RaaS program was being shut down due to pressure from law enforcement and said key members of its group were no longer available. The remaining victims of the attacks were then moved to the LockBit ransomware negotiation site.
It is common for RaaS operations to shut down and then re-emerge under a different name with a different ransomware variant, as appears to be the case with DarkSide and BlackMatter. The affiliates of the operations who conduct the attacks for a cut of the profits simply switch to a competing ransomware operation and continue to conduct attacks. “While the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void,” warned HC3.
Since HC3 downgraded the threat from BlackMatter ransomware, evidence has emerged that the threat group has rebranded already. Researchers at Emsisoft believe Alphv ransomware, aka BlackCat, is a rebrand of BlackMatter. Individuals associated with Alphv have claimed the operation is run by former BlackMatter affiliates, but Emsisoft threat analyst Brett Callow thinks it is more likely that Alphv is BlackMatter, and the operators are attempting to distance themselves from their former operation.
While several ransomware operations have either shut down or been taken down by law enforcement over the past few months, including the notorious REvil ransomware operation, the threat of ransomware attacks remains high.