BlackMatter ransomware moves victims to LockBit after shutdown By Lawrence Abrams Published: 2021-11-03 · Archived: 2026-04-05 13:38:47 UTC With the BlackMatter ransomware operation shutting down, existing affiliates are moving their victims to the competing LockBit ransomware site for continued extortion. This morning, news broke that the BlackMatter ransomware gang is shutting down after members have gone missing and increased pressure by law enforcement. As part of this shutdown, the ransomware operators are allowing affiliates to receive decryptors for existing negotiations so that they can continue extorting victims. https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ Page 1 of 5 0:00 https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ Page 2 of 5 Visit Advertiser websiteGO TO PAGE While BlackMatter's infrastructure is still live, BleepingCompuer has learned that affiliates are moving existing victims to the LockBit ransomware negotiation site. In existing BlackMatter negotiation chats, affiliates are providing victims links to LockBit's Tor sites where new negotiation pages have been setup for them. BlackMatter affiliate transfering victim to LockBit site Source: BleepingComputer At these LockBit negotiation pages, the BlackMatter affiliates continue to negotiate with victims to receive a ransom payment. As for BlackMatter, they are continuing their shut down, with today's activities being to delete their presence from Russian-speaking hacking forums. Security researcher pancak3lullz has been following BlackMatter's cleanup activities, showing that the gang withdrew 4 Bitcoins (~$250,000) today from the Exploit hacking forum and deactivated their account. The gang has also been editing their existing posts on forums and asking moderators to delete them. https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ Page 3 of 5 BlackMatter deleting posts on hacking forums Source: pancak3lullz With REvil and BlackMatter now shut down, LockBit has become one of the largest and most successful ransomware operations running today. The LockBit representative known as 'LockbitSupp' has shown to be a savvy threat actor who constantly adjusts tactics to recruit new affiliates, especially as established operations shut down. While BlackMatter will likely rebrand and return as a new ransomware operation, their partnership with LockBit may hurt them in the long run as they lose experienced affiliates. Automated Pentesting Covers Only 1 of 6 Surfaces. https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ Page 4 of 5 Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other. This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Source: https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/ Page 5 of 5