{
	"id": "7047d714-626e-42a8-9dc8-38de60220892",
	"created_at": "2026-04-06T00:17:05.639925Z",
	"updated_at": "2026-04-10T13:12:38.890174Z",
	"deleted_at": null,
	"sha1_hash": "4f9b9dbd5ddb38a3033bdc091c69dd24434f4ce1",
	"title": "BlackMatter ransomware moves victims to LockBit after shutdown",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3385645,
	"plain_text": "BlackMatter ransomware moves victims to LockBit after shutdown\r\nBy Lawrence Abrams\r\nPublished: 2021-11-03 · Archived: 2026-04-05 13:38:47 UTC\r\nWith the BlackMatter ransomware operation shutting down, existing affiliates are moving their victims to the competing\r\nLockBit ransomware site for continued extortion.\r\nThis morning, news broke that the BlackMatter ransomware gang is shutting down after members have gone missing and\r\nincreased pressure by law enforcement.\r\nAs part of this shutdown, the ransomware operators are allowing affiliates to receive decryptors for existing negotiations so\r\nthat they can continue extorting victims.\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile BlackMatter's infrastructure is still live, BleepingCompuer has learned that affiliates are moving existing victims to\r\nthe LockBit ransomware negotiation site.\r\nIn existing BlackMatter negotiation chats, affiliates are providing victims links to LockBit's Tor sites where new negotiation\r\npages have been setup for them.\r\nBlackMatter affiliate transfering victim to LockBit site\r\nSource: BleepingComputer\r\nAt these LockBit negotiation pages, the BlackMatter affiliates continue to negotiate with victims to receive a ransom\r\npayment.\r\nAs for BlackMatter, they are continuing their shut down, with today's activities being to delete their presence from Russian-speaking hacking forums.\r\nSecurity researcher pancak3lullz has been following BlackMatter's cleanup activities, showing that the gang withdrew 4\r\nBitcoins (~$250,000) today from the Exploit hacking forum and deactivated their account.\r\nThe gang has also been editing their existing posts on forums and asking moderators to delete them.\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\nPage 3 of 5\n\nBlackMatter deleting posts on hacking forums\r\nSource: pancak3lullz\r\nWith REvil and BlackMatter now shut down, LockBit has become one of the largest and most successful ransomware\r\noperations running today.\r\nThe LockBit representative known as 'LockbitSupp' has shown to be a savvy threat actor who constantly adjusts tactics to\r\nrecruit new affiliates, especially as established operations shut down.\r\nWhile BlackMatter will likely rebrand and return as a new ransomware operation, their partnership with LockBit may hurt\r\nthem in the long run as they lose experienced affiliates.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\nPage 4 of 5\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\nhttps://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/"
	],
	"report_names": [
		"blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434625,
	"ts_updated_at": 1775826758,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f9b9dbd5ddb38a3033bdc091c69dd24434f4ce1.pdf",
		"text": "https://archive.orkl.eu/4f9b9dbd5ddb38a3033bdc091c69dd24434f4ce1.txt",
		"img": "https://archive.orkl.eu/4f9b9dbd5ddb38a3033bdc091c69dd24434f4ce1.jpg"
	}
}