{ "id": "512c9f30-2654-472f-9681-9206203909a1", "created_at": "2026-04-06T00:18:16.194723Z", "updated_at": "2026-04-10T03:35:52.861348Z", "deleted_at": null, "sha1_hash": "29c2207f259be3354599e3365608d95f6cd9f9c1", "title": "BlackMatter ransomware says its shutting down due to pressure from local authorities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 90358, "plain_text": "BlackMatter ransomware says its shutting down due to pressure\r\nfrom local authorities\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-18 · Archived: 2026-04-05 13:47:21 UTC\r\nThe criminal group behind the BlackMatter ransomware have announced plans today to shut down their operation,\r\nciting pressure from local authorities.\r\nThe group announced its plan in a message posted in the backend of their Ransomware-as-a-Service portal, where\r\nother criminal groups typically register in order to get access to the BlackMatter ransomware strain.\r\nThe message, dated to Monday, November 1, 2021, and obtained by a member of the vx-underground infosec\r\ngroup, is pictured above and translated below:\r\nDue to certain unsolvable circumstances associated with pressure from the authorities (part of the team\r\nis no longer available, after the latest news) - the project is closed. After 48 hours, the entire\r\ninfrastructure will be turned off, it is allowed to:\r\n-Issue mail to companies for further communication.\r\n-Get decryptors, for this write \"give a decryptor\" inside the company chat where they are needed.\r\nWe wish you all success, we were glad to work. \r\nWhile the group did not explain the \"latest news\" that led to its decision to shut down, their announcement comes\r\nafter three major events that have taken place over the past two weeks.\r\nThe first of these were reports from Microsoft and Gemini Advisory that linked the FIN7 cybercrime group,\r\nconsidered the creators of the Darkside and BlackMatter strains, to a public cybersecurity firm named Bastion\r\nSecure, through which they allegedly recruited unwitting collaborators.\r\nThe second was the fact that security Emsisoft had secretly developed a decryption utility for the BlackMatter\r\nransomware strain, which the company had been secretly offering to victims in order to avoid them paying the\r\ngroup's ransom demands, putting a dent in its profits.\r\nThe third was a report from the New York Times this Sunday that announced that the US and Russia had started a\r\ncloser collaboration aimed at cracking down on Russia-based cybercrime and ransomware gangs, among others.\r\nThis is of importance because the FIN7 group has been historically believed to operate out of Russia.\r\nPolitical pressure mounting on ransomware gangs\r\nFIN7's recent announcement also comes after the operators and members of multiple ransomware operations have\r\nbeen hunted and arrested all over the world this summer.\r\nhttps://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/\r\nPage 1 of 3\n\nFor example, in their previous incarnation as the Darkside ransomware, the FIN7 group had to pull the plug on\r\ntheir operation after their servers were hacked and cryptocurrency funds were stolen, following a suspected law\r\nenforcement action.\r\nIn addition, rival ransomware gang REvil shut down not once, but twice, with the second time in October, after\r\nlaw enforcement backdoored and hijacked their dark web servers.\r\nFurthermore, just last week, Europol detained a Ukrainian group who orchestrated more than 1,800 ransomware\r\nattacks with strains such as LockerGoga, MegaCortex, and Dharma, including the devastating attack on aluminum\r\nproducer Norsk Hydro in early 2019.\r\nThis period of intense pressure on ransomware gangs comes after attacks have reached an all-time high this year,\r\nwith some attacks causing major issues across the world. Examples here include the Darkside ransomware attack\r\non Colonial Pipeline (caused fuel supply issues for the US East Coast), the REvil attack on JBS Foods (disrupted\r\nmeat supply across the US), and the REvil attack on Kaseya (disrupted thousands of companies across the globe).\r\nAs Jeff Moss, founder of the Black Hat and DEF CON security conferences, said earlier today on Twitter, law\r\nenforcement agencies have typically known the identities of most ransomware operators but have also known they\r\ncouldn't go after some groups because of Russia's uncooperative behavior, something that appears to be changing\r\n– based on BlackMatter's statement.\r\nSuggests the authorities have known all along and only once the pressure increased did they act. It’s\r\nexamples like that that convinced me that ransomware is at least 50% a political problem.\r\nhttps://t.co/1Yi6KxriMD\r\n— Jeff Moss (@thedarktangent) November 3, 2021\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/\r\nhttps://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/" ], "report_names": [ "blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/29c2207f259be3354599e3365608d95f6cd9f9c1.pdf", "text": "https://archive.orkl.eu/29c2207f259be3354599e3365608d95f6cd9f9c1.txt", "img": "https://archive.orkl.eu/29c2207f259be3354599e3365608d95f6cd9f9c1.jpg" } }