Following Its Shutdown, the BlackMatter Ransomware Gang Transfers Victims to LockBit

Yesterday we announced that due to pressure from authorities and recent law enforcement operations, BlackMatter decided to shut down its activities.

According to BleepingComputer, following the shutdown, BlackMatter developers have already started transferring victims to the LockBit ransomware website to continue negotiating ransom demands.

The ransomware group that calls itself BlackMatter claims to be a successor to now-defunct Darkside and REvil, two other notorious ransomware threat actors responsible for the cyberattacks on Colonial Pipeline and Kaseya.

The ransomware threat actors allow associates to obtain decryption tools for existing negotiations as part of this shutdown, enabling them to keep extorting victims.

As explained by BleepingComputer, while BlackMatter’s infrastructure remains operational, the operation’s affiliates are transferring current victims to the LockBit ransomware negotiation site.

In BlackMatter negotiation chats that already exist, affiliates are directing victims to LockBit’s Tor sites, where new negotiation pages are created specifically for them. The BlackMatter affiliates continue to negotiate with victims on these LockBit negotiation pages in order to obtain the requested ransom.


BlackMatter is still shutting down, with today’s operations consisting of removing their profile from Russian hacking forums.

BlackMatter’s cleanup actions have been monitored by security expert pancak3lullz, who discovered that the group withdrew 4 Bitcoins ($250,000) from the

Read More: