In September 2021, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) released a notification warning the health industry concerning a higher threat associated with BlackMatter ransomware attacks. A couple of days ago, another notification was released mentioning the threat level was lowered to Blue/Guarded. HC3 stated the ransomware-as-a-service (RaaS) operation seems to have been stopped and no more victims were posted on the BlackMatter RaaS data leak website starting October 31, 2021.
The BlackMatter ransomware group is considered by a lot of security specialists to be a rebrand of the DarkSide ransomware group, which performed the cyberattack on Colonial Pipeline last May 2021, which disturbed the delivery of fuel to the Eastern Seaboard. The DarkSide operation was stopped immediately after the attack on the Colonial Pipeline. With the start of BlackMatter ransomware attacks in July 2021, roughly 50% of the victims were entities located in the United States, such as these healthcare institutions, a pharmaceutical consulting firm, a medical testing & diagnostics organization, and a dermatology center.
On November 1, 2021, a BlackMatter ransomware operation member stated the RaaS program was being stopped because of pressure from the authorities and mentioned major members of its gang were not available anymore. The other attack victims were then transferred to the LockBit ransomware negotiation website.
It is usual for RaaS operations to stop and then re-appear with another name having another variant of ransomware, as seems to be what happened with BlackMatter and DarkSide. The affiliates of the campaigns who perform the ransomware attacks for a percentage of the revenue just move to a competing ransomware group and carry on to perform attacks.
A number of ransomware operations have either stopped or been taken down by police authorities in the last couple of months, such as the infamous REvil ransomware operation, which was thought to be a GandCrab ransomware operation rebranding. In spite of these shutdowns, there is still a high threat of ransomware attacks.
HC3 warned that although the group seems to have stopped operations, some other actors looking for high profits from ransomware attacks will possibly take its place.