Connect with us

Hi, what are you looking for?

Tech & Science

Security experts expect to see BlackMatter ransomware gang again soon

As security service take action and some hacker groups disappear into the ether, the risk of a return always remains.

Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information — © AFP
Investors are pumping millions of dollars into encryption as unease about data security drives a rising need for ways to keep unwanted eyes away from personal and corporate information — © AFP

Further to the news that ransomware group BlackMatter, has ceased operations, many security experts are concerned that the group has not fully disappeared.

To canvass opinion, Digital Journal caught up with r George Glass, Redscan head of threat intel and Dr Süleyman Özarslan, co-founder of Picus Security and head of Picus Labs.

Picus is a Turkish security company specialising in simulating the attacks of cybercriminal gangs (including BlackMatter and DarkSide before them). 

What was BlackMatter?

BlackMatter was a relatively new ransomware threat discovered at the end of July 2021.

This group started with a run of attacks and some advertising from its developers that claims they take the best parts of other malware, such as  GandCrabLockBit  and DarkSide. According to McAfee Enterprise Advanced Threat Research (ATR), the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the U.S. government and law enforcement agencies around the world.

The main goal of BlackMatter was to encrypt files in the infected computer and demand a ransom for decrypting them. The goal is to steal files and private information from compromised servers and request an additional ransom to not publish on the Internet.

Dr Süleyman Özarslan, Picus Security

According to Özarslanwe can expect the same hacker group to return in a different guise,: “BlackMatter is operated by the same criminals behind the DarkSide ransomware gang so it’s highly likely that the perpetrators will reform under a different guise.”

This occurs, says Özarslan because: “Ransomware gangs are highly resilient and typically rebrand in 6-month cycles. After the Colonial Pipeline attack, for example, Darkside was banned from many cybercrime forums for attacking a provider of critical infrastructure – prompting the decision to reform under a new name.”   

These rogue actors are driven by “The high financial returns from ransomware attacks”, which leads Özarslan to conclude: “It’s reasonable to assume that the BlackMatter ransomware gang will not stop anytime soon, despite growing pressure from authorities.”

George Glass, Redscan

Glass takes a similar view to Özarslan , explaining: “I expect this is BlackMatter saying au revoir, not goodbye. These kinds of announcements rarely mean that a gang is gone for good, they may simply be laying low after extremely high-profile campaigns and mounting pressure from the police. We will probably see them or at least some of their members reappear in the future under a different name, or with a different MO. We will certainly see the same methods being applied at scale by other operators, whether that involves BlackMatter members or not.”

Citing a prominent example, Glass says: “REvil is a prime example that ransomware gangs frequently come and go. When gangs disband, some actors retire. However, in many cases they simply reform under another guise or members within them move into other gangs. It’s very a big game of whack-a-mole.”

Glass regards the ransomware world as a bit of a see-saw: “The level of attention that groups receive from the authorities is often a key determining factor in actors deciding to scaling back their operations. However, as with any type of crime, there will most likely be actors who are still willing to take risks, maybe because they are outside of the jurisdiction of authorities or simply because they do not believe they will be caught.”

Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:


This transmission electron microscope image shows SARS-CoV-2—also known as 2019-nCoV, the virus that causes COVID-19—isolated from a patient in the U.S. Virus particles are...


If all this very basic information makes the point that these drugs are truly bad, that was the good news. The news for users...


WikiLeaks founder Julian Assange will learn Monday whether he can appeal to Britain’s Supreme Court against a High Court ruling.


French designer Thierry Mugler, who reigned over fashion in the 1980s, died on Sunday at the age of 73 of "natural causes".