Ransomware group transformations and vanishings: An exploration of the reasons behind their identity changes

In the ever-evolving world of cybercrime, ransomware groups continue to pose a significant threat to organisations globally. Each group employs different tactics, techniques, and procedures (TTPs), with successful strategies often copied and adapted by others.

Recently, the group behind the notorious Ryuk ransomware resumed activity, launching campaigns that involved malware like Emotet and Trickbot for data theft and encryption attacks worldwide. This resurgence in 2021 came after a period of inactivity between April and August of the previous year, during which Conti ransomware emerged, using similar malware code to the second version of Ryuk.

Another notable group, REvil, made headlines for its disappearance and subsequent reappearance. In July, REvil went dark, only to rebound by restoring its infrastructure through backups in early September. The latest disappearance of REvil is allegedly due to them losing control of their infrastructure. However, on October 17, one of its administrators, "0_neday," resumed the group's operations, citing the disappearance of one of its leaders, "Unknown."

The multi-nation effort that pushed REvil offline on October 21 confirmed 0_neday's messaging, with law enforcement agencies looking for the group. Interestingly, REvil re-emerged on the same online forum where 0_neday signalled a second shutdown on October 17.

Avaddon operators, another significant player in the ransomware landscape, released decryption keys for over 2,900 victims in June. However, only 180 victims were leaked on Avaddon's darknet leak site, suggesting that visibility into ransomware campaigns is limited.

Security professionals emphasise the importance of understanding the mindset of ransomware actors to effectively handle them. Some experts believe the mounting pressure international law enforcement is putting on ransomware gangs is forcing them underground.

For the FBI and U.S. Cyber Command, REvil has been a top priority. Knowing the group behind a ransomware attack offers insight into their goals. In the case of REvil, the operator claimed that Unknown was thought to be dead in July, but "someone brought up the hidden-services of a landing and a blog with the same keys as ours," according to Recorded Future intelligence analyst Dimitry Smilyanets.

As the battle against ransomware continues, it's clear that these groups will continue to evolve and adapt. Whether through rebranding, splintering, or collaborating, ransomware groups will persist in their efforts to disrupt businesses, extort money, and sow chaos. General Paul Nakasone, the head of U.S. Cyber Command, expects the U.S. to deal with ransomware every single day for at least the next five years.