Criminal Mergers

            Disrupted ransomware groups may also join forces with other cybercriminal factions in an effort to restore
            business operations.

            For example, when ALPHV's Tor websites went offline, the admin of the LockBit ransomware group
            immediately  began  recruiting  the  coder  behind  the  ALPHV  encryptor.  Also,  LockBit’s  ransomware
            version, Green, uses a Conti-based encryptor, which suggests cooperation between Lockbit and former
            members of the Conti group.


            Ransomware mergers can create a lot of problems for security teams, since they can change the known
            tactics of the groups, create a more skilful and resourceful adversary, and make it harder to predict both
            the initial attacks and the extortion tactics they will use against companies.



            Retaliation

            Despite  the  risk  of  attracting  more  law  enforcement  attention,  especially  after  take-downs,  some
            ransomware  groups  may  escalate  their  attacks  in  retaliation  for  being  disrupted.  This  makes  them
            significantly more dangerous and unpredictable.

            Less than a week after the LockBit ransomware gang was disrupted by a multinational law enforcement
            operation, it resumed its activities on a new, presumably more secure infrastructure. The gang relocated
            its data leak site to a new address and listed new victims, to include the FBI, although this appeared to
            be more of a publicity stunt. LockBit also announced a strategic shift towards intensifying attacks within
            the government sector.


            How Businesses Should Respond:
            Law enforcement’s disruption of ransomware operations is necessary to control the threat landscape, but
            the adaptability and resilience of ransomware groups mean that these takedowns often have a temporary
            effect.

            To reduce the potential security risks of ransomware incidents, companies should follow the best security
            practices  provided  in  the  #StopRansomware  Guide,  created  by  the  Joint  Ransomware  Task  Force
            (JRTF).

            When a company is attacked by ransomware, they should follow the Ransomware Response Checklist
            by CISA. The EU’s “No More Ransom” website also provides decryption tools for about 177 ransomware
            variants, including REvil/Sodinokibi, LockBit 3.0, Alpha, Chaos, WannaCryFake, Babuk, Bianlian, and
            Darkside. However, it’s important for companies to understand that just because they get a decryptor for
            the ransomware, that doesn’t mean the process of removing it and restoring systems will be easy – or
            brief. Recovery can be a very arduous and difficult process and companies will also need to make sure
            the ransomware criminals do not still have hidden access to the network.

            The  U.S.  government  does  not  recommend  paying  ransoms  for  a  multitude  of  reasons.  Ransom
            payments may also be illegal, if the group is in a US sanctioned territory or on the sanctions list. It is also





                                                                                                            161