BlackMatter ransomware group may have shut down operations

The U.S. Department of Health and Human Services' cybersecurity arm said this week that the operation has not claimed a victim since last October.
By Kat Jercich
03:09 PM

[Ed. Note: This piece has been updated to include information about BlackCat, which has potential links to BlackMatter.]

The U.S. Department of Health and Human Services' cybersecurity arm released a bulletin this week with some rare good news: The BlackMatter ransomware-as-a-service program appears to have shut down operations.  

"While [the Health Sector Cybersecurity Coordination Center] previously identified multiple healthcare and public health (HPH) sector or health sector-affiliated organizations impacted by this malware, the group has not claimed a victim since October 31, 2021," said the HC3 analyst note.  

As such, HC3 reduced the threat level posed by the group from "yellow," or "elevated," to "blue," or "guarded." 

WHY IT MATTERS  

BlackMatter is a Russian-speaking group with likely origins in Eastern Europe.   

Although the operation claimed not to target healthcare entities, HC3 considered it to be a highly sophisticated operation that posed an "elevated risk" to the sector; in September, the agency released a briefing warning as much

In fact, HC3 said it is aware of at least four healthcare or healthcare-related organizations that have been impacted by BlackMatter ransomware incidents – including a medical testing and diagnostics company, a pharmaceutical consulting company, and a dermatology clinic, all in the United States.  

"A global medical technology company based in the Asia-Pacific region also suffered a BlackMatter incident," read the analyst note.  

In October, federal agencies issued a Cybersecurity Advisory providing information on BlackMatter ransomware, suggesting that the group is a possible rebrand of the DarkSide ransomware-as-a-service organization. And on Wednesday, some analysts said that BlackCat, the ransomware group possibly behind a recent attack on two German oil companies, is likely another rebrand.

However, October was the same month BlackMatter appeared to claim its last victim.  

"On November 1, BlackMatter claimed it was shutting down operations following pressure from local law enforcement and stated that key members of its group were 'no longer available,'" said the HC3 note.  

"Shortly thereafter, the existing BlackMatter victims were moved to the competing LockBit ransomware negotiation site," it continued.  

THE LARGER TREND  

BlackMatter's predecessor, REvil, has also receded from the threat landscape following several high-profile attacks on healthcare organizations.  

In November, the U.S. Department of Justice announced that it had taken action against two individuals accused of using the ransomware to attack U.S. businesses and government agencies.

"The arrest of Yaroslav Vasinskyi, the charges against Yevgeniy Polyanin and seizure of $6.1 million of his assets, and the arrests of two other Sodinokibi/REvil actors in Romania are the culmination of close collaboration with our international, U.S. government and especially our private sector partners," said FBI Director Christopher Wray in a statement at the time.  

ON THE RECORD  

"HC3 can confirm that the BlackMatter leak site is no longer operational and no known ransomware variants are believed to be successors at this time, according to open source reporting," said the agency.

Still, it warned, "While the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void."  

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.