Are Ransomware Gangs Ever Really Gone for Good?

In late January 2023, the Hive ransomware group suddenly went offline. A multinational group of law enforcement agencies seized the group’s assets and shut down its websites on the Dark Web.

This operation didn’t happen overnight, it was the result of months of work, with coordination from the FBI, Interpol and multiple European law enforcement agencies. Together, the authorities infiltrated Hive’s network and began disrupting the group’s activities, systematically reducing its effectiveness until they could deliver the final blow.

This is just one in a longer series of operations against highly sophisticated cybercriminal enterprises around the world. In 2022, Russia’s Federal Security Service arrested the leaders of the notorious REvil ransomware gang at the request of US authorities. The year before that, BlackMatter reported it would cease operations after a successful government-led effort against it.

At first glance, this sounds like strongly positive news for cybersecurity leaders and the organizations they protect as every cybercrime group that goes under decreases the overall volume of attacks.

However, this might turn out to be an over-optimistic interpretation as there’s very little evidence to suggest that professional cybercriminals will simply call it quits. Many of the individuals often work for multiple gangs at the same time.

By the end of 2022, the overall volume of ransomware attacks had decreased by 23% compared to 2021. A trend that appears set to continue as organizations adopt stricter cybersecurity policies and implement newer and more robust prevention technologies like anti data exfiltration. When it came to the number of reported attacks, we saw a growth of 29%, so, although the volume decreased, the tactical and operational success of each attack was much higher.

At the same time, international authorities have been cracking down on the largest and most prolific ransomware gangs. These factors have put significant pressure on ransomware operators and many have been forced offline.

But that doesn’t mean that the cybercriminals responsible have given up. In fact, it’s likely they’re more active than ever – but with a key difference.

Cybercriminals may be moving on from traditional ransomware because it doesn’t generate profits the way it used to. In an environment where cyber insurance is becoming increasingly difficult to obtain, organizations are discouraged from paying ransoms, and new legislations are prohibiting them from doing so, there are fewer opportunities for growth.

Instead of quitting, cybercriminals may be experimenting with new methods to extort money from victims, with some turning to inside attacks, which have increased by nearly 50% over the last two years. Others are looking for new opportunities to make their mark – possibly by opening up their own cybercrime startup.

Ex-ransomware group members don’t appear to give up on cybercrime. It’s more likely they simply give up on the brand they previously identified with.

To understand why this is the case, think of ransomware gangs as commercial IT companies. In a healthy market environment innovative startups grow, hire top talent, and develop reputable brands. But eventually the market environment changes, and established leaders can’t always adapt in time. Competitive new startups disrupt their operations, poach top performers, and become the next generation of market leaders.

The ransomware industry works in roughly the same way. These are just commercial tech brands that happen to make their money through cybercrime and their employees have no particular attachment to ransomware as a technology.

As time goes on and ransomware loses its relevance as a profit-generating enterprise, these groups will look for ways to replace lost income. Their members may start to look for opportunities to create new groups (or take over ones that are already well known) in order to keep a greater share of the profits for themselves.

Cybercrime groups are often linked to one another in unusual ways, and those links change over time. For example, the Ryuk and Conti ransomware groups appear to have exchanged resources, tactics, and technologies between different core members for years.

Unlike commercial tech companies however, ransomware groups do not explain any of their decisions to the public. There is no transparency about these groups’ internal organization or motivations. It’s possible that Ryuk and Conti are separate entities, and their similarities purely a coincidence. It’s also possible that one is a splinter group of the other, or that a single person manages some aspects of both groups.

In some cases, cybercrime groups may appear, disappear, and reappear later. This appears to be the case with REvil (also known as Sodinokibi), which made headlines after launching a successful ransomware attack against Kaseya in July 2021.

But REvil surprised the cybersecurity community by going offline only a few weeks after its high-profile attack, within another few weeks however, the organization resurfaced, apparently using the same infrastructure as before. It’s unlikely that the group’s leadership took the group offline and then brought it back during an intense worldwide manhunt led by the FBI.

At the time, cybersecurity researcher Brett Callow called this move either “supremely arrogant or supremely stupid” in an interview with Recorded Future. It’s more likely that a dispute between multiple stakeholders took place, and that a leadership shuffle resulted in someone new taking control of the group. There is no guarantee that the group’s new leaders even took part in the Kaseya attack.

Cybersecurity leaders must recognize that ransomware is just one of many possible cybercrime techniques. Multiple factors have contributed to it becoming the biggest security threat of the pandemic era, and other factors have contributed to its decline since then.

One of those factors is the existence of a modern, competitive cybercrime industry that rewards innovation and risk-taking, and looks beyond traditional targets towards sectors like education, healthcare and government. International authorities have had remarkable success taking down individual cybercrime groups but have not yet dismantled the industry that enables those groups to exist.

As organizations improve their ransomware response capabilities, cybercriminals will shift to new tactics and techniques. Cybersecurity leaders must gain visibility into these trends so they can position themselves successfully for the next generation of cybercrime groups. Insider threats, social engineering, and supply chain attacks are just some of the possibilities today’s cybercriminals are beginning to explore.

Learn more about how BlackFog protects enterprises from the threats posed by ransomware.