HHS HC3: BlackMatter Threat to Health Sector 'Reduced'Ransomware Gang Is Said to Have Disbanded, But Will Others Fill the Gap?
U.S. authorities have mixed news for the healthcare and public health sector. The good news: The threat level posed by ransomware-as-a-service gang BlackMatter is reduced. The bad news: Other cybercriminals will undoubtedly fill the gap - if they haven't already.
In an advisory, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center said it has lowered the threat level posed by BlackMatter to the health sector to "guarded" after having raised the threat level to "elevated" last fall (see: HHS Warns Health Sector of BlackMatter Attacks).
While HC3 previously identified multiple healthcare and public health sector-related organizations affected by the BlackMatter malware, "the group has not claimed a victim since Oct. 31, 2021, and appears to have shut down operations," the report says (see: BlackMatter Claims to Shut Ops; Experts Suspect Rebranding).
"HC3 can confirm that the BlackMatter leak site is no longer operational and no known ransomware variants are believed to be successors at this time, according to open-source reporting," HHS says.
But it says, "while the group appears to have shut down operations, other actors seeking lucrative payouts from ransomware attacks are likely to fill this void."
Disappearing, Reappearing Act
Some experts warn that the disappearance and then reappearance of reconstituted cybercriminal operations is not that unusual.
For instance, BlackMatter itself is thought to be a rebrand of the defunct DarkSide, HC3 says in its report.
DarkSide was behind the Colonial Pipeline Co. attack last May that disrupted fuel deliveries along the U.S. East Coast (see: BlackMatter Ransomware Appears to be Spawn of DarkSide).
"It is common for individual ransomware groups to shut down due to perceived pressure or scrutiny from law enforcement, or for other reasons," says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is now a researcher with cybersecurity threat intelligence firm IntSights.
"It is also common, however, for these groups to resurrect and rebrand themselves under new names, or for individual members of defunct groups to continue their activities under the rubric of a new group."
The threat from ransomware in general remains high, even though specific groups and their individual members may vanish and then resurface under different names, he says.
"It is worth tracking these shifts to the extent that specific groups may have specific indicators of compromise or other detections for security teams to use to defend against them and use specific payloads and tactics, which may shift as the various groups come and go."
HHS HC3's reduction of the threat level for BlackMatter "is justifiable," Prudhomme says.
But while the group itself may have disappeared, individual members of it may continue to pose a threat under a different name, he warns. "Ransomware in general nonetheless remains a popular form of business for criminals, and any other ransomware operators could fill any void left by the disappearance of BlackMatter."
Brett Callow, a threat analyst at security firm Emsisoft, offers a similar perspective and says, "The operators of BlackMatter may have already started up a new operation. ALPHV bears some similarities to BlackMatter, and the operator of another gang hinted at a connection in a post on a cybercrime forum."
Callow says that last fall, a person claiming to be part of the BlackMatter team announced on a cybercrime forum that the operation was shutting down - supposedly due to increased attention from law enforcement agencies.
The announcement from the group came only a few days after The New York Times had reported that Emsisoft had been helping BlackMatter victims to recover their data without needing to pay the demands - "which cost gang and their affiliates multiple millions of dollars. They’d made a similar mistake when operating as DarkSide," he says. Also, the $4.4 million ransom demand Colonial Pipeline reportedly paid to DarkSide last May was later mostly recovered.
"Rather than fleeing from law enforcement, I suspect [BlackMatter] simply pulled an exit scam. This was their second mistake, and it had cost their affiliates a massive amount of money," Callow says.
"Unfortunately, the retiring of any one gang doesn’t have an immediate impact on the threat landscape as the affiliates - who are the people that actually carry out the attacks - simply switch to other RaaS operations."
But Callow says retirements, ransomware seizures and arrests do have an impact. "They all help alter the risk-reward ratio, and that’s a critical element of solving the ransomware problem. In the past, it was all reward and no risk, but that’s finally starting to change."
Healthcare Sector Victims
HC3 says the BlackMatter group is likely Eastern Europe and is Russian-speaking.
In its report, HHS HC3 does not identify victims, but says it is aware of at least four healthcare or healthcare-related organizations that have been affected by BlackMatter ransomware incidents.
U.S.-based organizations in the healthcare sector hit by BlackMatter attacks include a pharmaceutical consulting company, a medical testing and diagnostics company and a dermatology clinic, HC3 says.
A global medical technology company based in the Asia-Pacific region was also hit by a BlackMatter incident, the report says.
While HC3 did not name the firm, BlackMatter was believed to be behind a Sept. 8 cyberattack on Olympus, a Japanese company that manufactures optics and reprography products (see: Olympus: 'Potential Cyber Incident' Disrupted EMEA System).
Besides those attacks, BlackMatter RaaS operators claimed a U.S.-based law firm providing COVID-19-related legal services was also as a victim, HC3 says.
The most recent BlackMatter victim was observed by HC3 on Oct. 31, the report says.
"On Nov. 1, BlackMatter claimed it was shutting down operations following pressure from local law enforcement and stated that key members of its group were 'no longer available,'" HC3 says. "Shortly thereafter, the existing BlackMatter victims were moved to the competing LockBit ransomware negotiation site."
Certainly, other ransomware crime groups have appeared to go dark only to resurface again later, sometimes with new monikers or new affiliations. For instance, the ransomware operation REvil - also known as Sodinokibi - first appeared in April 2019 as a GandCrab ransomware spinoff.
But more recently, some security experts say REvil might have already rebooted as "Ransom Cartel" after various recent attempts to take down the REvil operation (see: Suspected REvil Spinoff 'Ransom Cartel' Debuts).
For instance, the U.S. government in the spring of 2021 began sharing intelligence on ransomware groups with the Russian government and demanding Moscow do more to blunt attacks emanating from inside the country.
So far, however, it's not clear if any of REvil's high-level leadership, whoever they might be, have been arrested. At least some of the suspects appear to be affiliates.