COMMENTARY: Law enforcement actions this year have disrupted the activity of some of the most prolific cybercriminal groups, from those involved in botnets and phishing to distributed-denial-of-service (DDoS) attacks and ransomware.
Arguably, LockBit, the most significant ransomware-as-a-service (RaaS) group since the double-extortion model emerged, saw its operations severely impacted under Operation Cronos, led by the UK’s National Crime Agency (NCA). Infrastructure was seized, individuals associated with the ransomware were arrested, and the operator was identified, indicted, and sanctioned.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
BlackCat/ALPHV, another prolific ransomware group, was engaged in a leak site “tug of tor” with the FBI in December 2023. This precipitated BlackCat’s decline and eventual shuttering of the operation in an exit scam in March 2024.
Both LockBit and BlackCat achieved their dominance of the market by successfully operating an affiliate model, so undermining their operations had an immediate and obvious impact on their ability to victimize organizations.
The longer-term impact of these takedowns across the broader landscape still needs to unfold, but we have already observed a 30% increase in the number of active ransomware groups, while the number of victims named on leak sites has remained relatively stable. This means that a larger number of groups are listing roughly the same number of victims, pointing to fragmentation in the ransomware landscape.
Law enforcement activity has apparently achieved one of its intended objectives: undermine the trust of ransomware affiliates in the most prolific proponents of the RaaS model by damaging their reputations, resulting in an ecosystem defined by entropy. New groups have emerged at a rate not seen before and affiliates have been driven to them by necessity. Some appear to have become independent operators unaffiliated with any particular ransomware scheme.
Groups emerge from the rubble
One group that has notably benefited from the law enforcement disruptions is Qilin. The group started listing victims in October 2022, but leak site victim numbers suggested a low level of initial activity. However, following the BlackCat disruption in January 2024, Qilin’s numbers started to rise and almost doubled in February as the LockBit infrastructure was taken down. The number of victims listed on the leak site has continued to increase through 2024.
Within just one week of the LockBit takedown, a new RaaS scheme called RansomHub began listing victims on a leak site. The number of victim names has steadily increased month-over-month, reaching a high of 100 in November 2024. In the same month, it’s no coincidence that 50% of all named victims came from schemes that entered the ransomware landscape after the LockBit takedown.
The strongest evidence that RansomHub benefited from disruption to other schemes lies in a strange set of events following the Change Healthcare ransomware attack. The ransom demand for this breach was initially listed on the new BlackCat leak site and allegedly resulted in a $22 million ransomware payment.
However, immediately after receiving the payment, the BlackCat operation closed and the threat group operator disappeared with the money. The affiliate responsible wasn’t prepared to give up all financial gain, relisting Change Healthcare in April, this time on RansomHub.
Another group of note this year has been BlackSuit. Rebranded from Royal Ransomware by GOLD SOUVENIR in May 2023, the group also saw an increase in activity after the disruptions. What’s interesting in this case is that prior to this time, we had not seen any evidence that GOLD SOUVENIR operated their scheme as a RaaS and used affiliates. However, the uplift in victim naming suggests that they do operate with affiliates, and this number likely increased in response to the LockBit takedown and BlackCat shuttering.
We have also observed an increase in the number of ransomware intrusions that are not conducted by affiliates of known groups. The ransom notes delivered in these compromises were unbranded, and the communication methods supported by the attackers did not include the typical Tor-based negotiation portals or leak sites. The attackers instead used email addresses or private Tox chat channels.
Unlike the generic text used in many ransom notes, these intrusions included notes populated with specific details to convince the victims that their organization’s data had been successfully exfiltrated. The ransom notes contained information about the alleged size of the stolen data, the devices from which it had been stolen, and which areas of the compromised environment had been encrypted. This suggests that the attackers responsible were keen to avoid lengthy negotiations with victims that would normally involve exchange of that kind of information.
What this means for organizations
While we have seen a significant rise in the number of ransomware groups now operating, the distribution of victim numbers has become more even, suggesting that around the same number of affiliates are operating overall. If there were more, we’d expect to see a higher number of victims.
Despite successful law enforcement activity, ransomware has not gone away. It still poses a significant threat to organizations. The movement and fluidity across schemes, makes attributing ransomware attacks to specific affiliates harder. There’s less repeatability and therefore less predictability. And given the focus from law enforcement, there’s a real incentive for threat actors to avoid standing out or becoming identifiable.
That said, for all their impact, the disruptions don’t seem to have caused affiliates to change the fundamental tools and tactics they adopt in deploying ransomware. It’s most likely because the same tried and tested methods still yield results. For example, the most common access vectors we see are still stolen credentials and the exploitation of vulnerabilities in internet-facing services.
The ransomware operations we observe today are not as sophisticated as they were in the past and involve limited deployment of custom malware. Mostly, they rely on older tools and frameworks that are readily detectable, or leverage off-the-shelf legitimate applications and native Windows utilities whose anomalous use security teams can can detect.
We can expect to see the ransomware ecosystem continue to shift, in the same way it always has. But the impact of major takedowns by law enforcement has played a crucial role in disrupting the most dominant, established groups. In itself, it’s good news – and although the ecosystem has recovered, fewer organizations will have become victims of ransomware as a result.
While it’s true that building a great cybersecurity posture means evolving with the changing nature of the threat landscape, security priorities remain essentially the same: teams should always put basic security hygiene top-of-mind. Regular patching, hardening of identity management through the robust deployment of phishing-resistant multi-factor authentication (MFA), endpoint and network monitoring, and thorough security training – are all fundamental and remain very important.
Don Smith, vice president, threat intelligence, Secureworks Counter Threat Unit
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
