{"id":43732,"date":"2021-11-03T23:01:24","date_gmt":"2021-11-03T23:01:24","guid":{"rendered":"http:\/\/96d380f3-939e-40aa-86b1-3f55588eb9ff"},"modified":"2021-11-03T23:01:24","modified_gmt":"2021-11-03T23:01:24","slug":"blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/","title":{"rendered":"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\" class=\"ff-og-image-inserted\"><\/div>\n<p><a href=\"https:\/\/www.zdnet.com\/article\/colonial-pipeline-cyberattack-shuts-down-pipeline-that-supplies-45-of-east-coasts-fuel\/\" target=\"_blank\" rel=\"noopener\">attack on Colonial Pipeline<\/a>In messages obtained <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1455750066560544769\/photo\/2\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\">by a member of the vx-underground group<\/a>, the prolific BlackMatter ransomware group has said it is closing shop due to increased law enforcement pressure.&nbsp;<\/p>\n<p>The group &#8212; hawking a rebranded version of the <a href=\"https:\/\/www.zdnet.com\/article\/darkside-the-ransomware-group-responsible-for-colonial-pipeline-cyberattack-explained\/\" target=\"_blank\" rel=\"noopener\">DarkSide ransomware<\/a> used to <a href=\"https:\/\/www.zdnet.com\/article\/colonial-pipeline-ransomware-attack-everything-you-need-to-know\/\" target=\"_blank\" rel=\"noopener\">attack Colonial Pipeline<\/a> earlier this year &#8212; posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are &#8220;no longer available&#8221; after &#8220;the latest news.&#8221;<\/p>\n<p>&#8220;Due to certain unsolvable circumstances associated with pressure from the authorities (part of the team is no longer available, after the latest news) &#8212; project is closed,&#8221; the group wrote.&nbsp;<\/p>\n<p>&#8220;After 48 hours the entire infrastructure will be turned off, allowing: Issue mail to companies for further communication [and] Get decryptor. For this write &#8216;give a decryptor&#8217; inside the company chat, where necessary. We wish you all success, we were glad to work.&#8221;&nbsp;<\/p>\n<p>While the group did not explain what they meant by &#8220;the latest news,&#8221; there are a variety of stories tied to the ransomware gang&#8217;s activities over the last two months.&nbsp;<\/p>\n<p>After <a href=\"https:\/\/www.zdnet.com\/article\/russian-language-cybercriminal-forum-xss-bans-darkside-and-other-ransomware-groups\/\" target=\"_blank\" rel=\"noopener\">closing shop<\/a> to due law enforcement scrutiny following the <a href=\"https:\/\/www.zdnet.com\/article\/colonial-pipeline-cyberattack-shuts-down-pipeline-that-supplies-45-of-east-coasts-fuel\/\" target=\"_blank\" rel=\"noopener\">attack on Colonial Pipeline<\/a> in May, the group re-emerged in July under the &#8220;BlackMatter&#8221; banner. They <a href=\"https:\/\/www.zdnet.com\/article\/iowa-farm-services-provider-hit-with-blackmatter-ransomware-and-5-9-million-ransom\/\" target=\"_blank\" rel=\"noopener\">attacked dozens<\/a> of companies and <a href=\"https:\/\/www.zdnet.com\/article\/cisa-says-blackmatter-ransomware-group-behind-recent-attacks-on-agriculture-companies\/\" target=\"_blank\" rel=\"noopener\">CISA identified the group<\/a> as the perpetrators of multiple attacks <a href=\"https:\/\/www.zdnet.com\/article\/iowa-farm-services-provider-hit-with-blackmatter-ransomware-and-5-9-million-ransom\/\" target=\"_blank\" rel=\"noopener\">on agriculture companies<\/a> ahead of harvests.&nbsp;<\/p>\n<p>Last week, <a href=\"https:\/\/blog.emsisoft.com\/en\/39181\/on-the-matter-of-blackmatter\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">Emsisoft CEO Fabian Wosar revealed<\/a> that his company <a href=\"https:\/\/www.nytimes.com\/2021\/10\/24\/technology\/ransomware-emsisoft-blackmatter.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\">discovered a flaw<\/a> in the BlackMatter ransomware allowing them to help victims recover all of their files. The group eventually figured it out and released an updated version of their malware, but Wosar hinted that they were working with law enforcement agencies and others to help victims.&nbsp;<\/p>\n<section class=\"sharethrough-top placeholder\"> <\/section>\n<p>On Wednesday, the <a href=\"https:\/\/www.washingtonpost.com\/national-security\/cyber-command-revil-ransomware\/2021\/11\/03\/528e03e6-3517-11ec-9bc4-86107e7b0ab1_story.html\" target=\"_blank\" rel=\"noopener noreferrer\" data-component=\"externalLink\">Washington Post reported<\/a> that US Cyber Command and a foreign government were responsible for the <a href=\"https:\/\/www.zdnet.com\/article\/multiple-governments-involved-in-coordinated-takedown-of-revil-ransomware-group-reuters\/\" target=\"_blank\" rel=\"noopener\">disruption of the REvil ransomware group<\/a>. Chats from REvil actors were seen by the newspaper and indicate the group&#8217;s leaders were spooked once they realized law enforcement entities were in their system, shutting down operations for the <a href=\"https:\/\/www.zdnet.com\/article\/revil-ransomware-group-resurfaces-after-brief-hiatus\/\" target=\"_blank\" rel=\"noopener\">second time<\/a> this year.&nbsp;<\/p>\n<p>Officers from Europol also <a href=\"https:\/\/www.zdnet.com\/article\/ransomware-police-sting-targets-suspects-behind-1800-attacks-that-wreaked-havoc-across-the-world\/\" target=\"_blank\" rel=\"noopener\">arrested the Ukrainian group<\/a> behind the MegaCortex, Dharma and LockerGoga ransomwares. The twelve people arrested allegedly perpetrated more than 1,800 ransomware attacks on critical infrastructure and large organisations around the world.<\/p>\n<p>The immense amount of pressure now facing ransomware groups was noted by General Paul Nakasone, head of US Cyber Command.&nbsp;<\/p>\n<p>&#8220;I&#8217;m pleased with the progress we&#8217;ve made,&#8221; he said, &#8220;and we&#8217;ve got a lot more to do,&#8221; he said during a speech at the Aspen Security Forum on Wednesday.&nbsp;<\/p>\n<p>Bleeping Computer <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" data-component=\"externalLink\">reported on Wednesday afternoon<\/a> that BlackMatter operators have already begun moving victims over to the <a href=\"https:\/\/www.zdnet.com\/article\/a-deep-dive-into-the-operations-of-the-lockbit-ransomware-group\/\" target=\"_blank\" rel=\"noopener\">LockBit ransomware<\/a> site so that they can continue negotiating ransoms. The group is also pulling cryptocurrency out of the Exploit hacking forum and deactivating accounts, according to Bleeping Computer.&nbsp;<\/p>\n<p>Most experts were quick to note that ransomware groups have now made it a standard practice to close shop and reorganize under a new name. Multiple ransomware groups have done it, some multiple times, as soon as law enforcement pressure gets to be too much to handle.&nbsp;<\/p>\n<p>Xue Yin Peh, senior cyber threat intelligence analyst at Digital Shadows, said DarkSide, Avaddon and Egregor are just some examples of groups that folded their operations following the after-effects of a prominent attack.&nbsp;<\/p>\n<p>&#8220;Although BlackMatter&#8217;s announcement would suggest a halt in operations, if we consider previous events, there are a few possibilities as to the future of BlackMatter: Members or affiliates lie low for a period of time, staying inactive while taking a break from ransomware activities and Member or affiliates are absorbed into the ransomware-as-a-service programs of other groups,&#8221; Yin Peh said.&nbsp;<\/p>\n<p>&#8220;Or, BlackMatter will rebrand into a new program under another name. Given how highly lucrative ransomware operations are, it is unlikely that those behind BlackMatter will cease operations entirely. An eventual rebranding seems more probable, but how soon this will happen remains to be seen. With law enforcement hot on their heels, it is more likely that BlackMatter will take their time to let the law enforcement dust settle, re-develop their tools, and then re-emerge with a new and improved payload.&#8221;<\/p>\n<p>Picus Security&#8217;s Dr. S\u00fcleyman \u00d6zarslan noted that ransomware gangs typically rebrand in 6-month cycles.<\/p>\n<p>Other experts, like BreachQuest CTO Jake Williams, said better backups and other preparation by victims were decreasing ransom payment rates in some instances, forcing ransomware groups to increasingly rely on double extortion methods to regain leverage.&nbsp;<\/p>\n<p>&#8220;The creation of the data exfiltration tool shows that groups are not only worried about standardizing their encryption operations, but also their extortion operations. The mere existence of the tool shows how important the double extortion process has become for operators,&#8221; Williams said.&nbsp;<\/p>\n<p>&#8220;At this point it&#8217;s not clear whether core group members are &#8216;unavailable&#8217; because they are in custody or have simply decided the stakes are too high to continue operations. But the note specifically mentions local law enforcement pressure, and that&#8217;s a sign that saber rattling appears to be helping. But we shouldn&#8217;t forget that due to a bug in BlackMatter ransomware, operators and affiliates lost millions in ransom payments in the last month. This was already hurting relationships with affiliates. It&#8217;s not hard to imagine given the strained operations model, it might not take much pressure from authorities for core BlackMatter members to hang up their hats.&#8221;<\/p>\n<p> READ MORE <a href=\"https:\/\/www.zdnet.com\/article\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#ftag=RSSbaffb68\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The group posted a message on its private ransomware-as-a-service website on November 1st saying some members of the gang are &#8220;no longer available&#8221; after &#8220;the latest news.&#8221;<br \/>\nREAD MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[62],"tags":[],"class_list":["post-43732","post","type-post","status-publish","format-standard","hentry","category-zdnet-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>BlackMatter ransomware to shut down, affiliates transferring victims to LockBit 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-03T23:01:24+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit\",\"datePublished\":\"2021-11-03T23:01:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/\"},\"wordCount\":930,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\\\/2020\\\/09\\\/28\\\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\\\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\",\"articleSection\":[\"ZDNet | Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/\",\"name\":\"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\\\/2020\\\/09\\\/28\\\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\\\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\",\"datePublished\":\"2021-11-03T23:01:24+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\\\/2020\\\/09\\\/28\\\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\\\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\",\"contentUrl\":\"https:\\\/\\\/www.zdnet.com\\\/a\\\/img\\\/resize\\\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\\\/2020\\\/09\\\/28\\\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\\\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/","og_locale":"en_US","og_type":"article","og_title":"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-03T23:01:24+00:00","og_image":[{"url":"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit","datePublished":"2021-11-03T23:01:24+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/"},"wordCount":930,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#primaryimage"},"thumbnailUrl":"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","articleSection":["ZDNet | Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/","url":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/","name":"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#primaryimage"},"thumbnailUrl":"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","datePublished":"2021-11-03T23:01:24+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#primaryimage","url":"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp","contentUrl":"https:\/\/www.zdnet.com\/a\/img\/resize\/63f5f8469ef2bc88d3a2134104242ff0875ba4f6\/2020\/09\/28\/6ce2ab9c-621c-4b07-90a2-7fb82fe7c55c\/istock-1185282377.jpg?width=770&amp;height=578&amp;fit=crop&amp;auto=webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/blackmatter-ransomware-to-shut-down-affiliates-transferring-victims-to-lockbit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"BlackMatter ransomware to shut down, affiliates transferring victims to LockBit"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43732"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43732\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}