Page 160 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 160

decryption keys. However, ransomware gangs can simply rebuild their online infrastructure, update their
            malware, and recruit new affiliates to rebrand the operation and resume extortion operations.

            Unless the group’s key members are arrested, the takedown may only have a temporary effect.

            Here’s what businesses need to know.

            How Ransomware Groups Respond:

            Following a law enforcement intervention, ransomware groups can respond in several ways. Here are
            the four most common outcomes:



            Selling Their Code

            Ransomware groups may shut down their operations if law enforcement is able to significantly damage
            their reputation among other criminal groups. However, this isn’t the end of the problem – many of these
            groups will sell their source code and other assets.

            The  buyer(s)  of  this  source  code  will  often  integrate  it  into  their  own  hacking  operations,  thereby
            resurrecting the threat. For example, in January 2023, law enforcement seized the Hive ransomware
            operation's payment and data leak sites, but just nine months later, we observed a new RaaS group
            called Hunters International, which claimed to have purchased the encryptor source code from the Hive
            developers.

            This source code can still be valuable, even if the ransomware decryption keys have been leaked. That’s
            because the ransomware can be retooled to create new decryption keys or it can be used purely for data
            theft and extortion instead of encryption.



            Rebranding Under a New Name

            It is extremely common for ransomware groups to rebrand following a law enforcement takedown. These
            new groups are no less dangerous than the original. In fact, they may become even smarter and more
            strategic.

            For example, after attacking the Colonial Pipeline in 2021, DarkSide faced intense law enforcement
            scrutiny and fund seizure. This led to the group's rebranding as BlackMatter.

            When rebranding, a group will often continue to rely on all or part of the source code used in the original
            ransomware. However, the group’s tactics will often change. They may switch from encryption attacks to
            pure data extortion, limit their affiliates and the operation’s overall size, and their victim targeting may
            also change.










                                                                                                            160
   155   156   157   158   159   160   161   162   163   164   165