Home Ransomware takedowns, they’re not working

Ransomware takedowns, they’re not working

February 29th – Last year, ahead of the Christmas holiday, the U.S. Federal Bureau of Investigation (F.B.I) ran an international operation intended to squelch the notorious hacking group known as BlackCat or ALPHV.

The hacking group is known for operating on a Ransomware-as-a-Service (RaaS) model, and it has also been ranked as the second-most active organized ransomware group in existence.

In the wake of the F.B.I raid, deputy attorney general, Lisa Monaco, declared “In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers.”

BlackCat/ALPHV “takedown”

However, just over two months later, the hackers seemed to be operating as normal. BlackCat/ALPHV didn’t exactly appear “disrupted.” Shortly thereafter, the group attacked a medical firm in the United States and managed to annihilate its software. In turn, obtention of prescription drugs, for an untold number of patients, was delayed.

Short-lived victories

According to ransomware analysts, law enforcement’s wins against hackers are generally short-lived. Hackers targeted in coordinated busts manage to rebuild ties and infrastructure quickly. They take a weekend off, and start back up.

“Because we can’t arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can’t stop them,” says Allan Liska, a ransomware researcher for Recorded Future.

Law enforcement cannot actually arrest these individuals. While law enforcement actions have had some effect, ransomware attackers seem to bounce back after government agency interventions without much issue.

Bouncing back fast

One observation is that ransomware groups may be reviving themselves more expeditiously than in the past due, in part, to the increasing sophistication of the ransomware economy.

Hackers whose tools and sites were dismantled can now easily purchase access to malware from crime-friendly hosting providers and can buy their way into organizations via “access brokers.” Getting back in the game is a walk in the park.

Law enforcement actions

That said, law enforcement operations do help degrade the ransomware economy, as they cause operational friction for threat actors. They also obliterate groups from the scene for a certain length of time, even if not permanently.

But disruption efforts alone aren’t enough to end the ransomware problem. Get more ransomware prevention insights here. Ensure that your organization has advanced ransomware prevention mechanisms in-place.

Lastly, subscribe to the CyberTalk.org newsletter for timely insights, cutting-edge analyses and more, delivered straight to your inbox each week.