The Predictable Life & Death Cycle of Ransomware Groups

Happy Groundhog Day! Earlier this morning, out in Punxsutawney, Pennsylvania, Phil saw his shadow. As such, everyone’s favorite marmot predicts 6 more weeks of winter. There’s strong reason to believe he’s wrong: all the Phils claim a 39% success rate since the first ‘prediction’ in 1886, which seems on par with every other weather forecaster. In an unusual turn, however, Phil made a second prediction, and he seems absolutely correct this time.

Some might dispute this prediction in the face of recent reports of the FBI’s seizure of Hive ransomware group’s Tor payment and data leak websites following months of a covert international law enforcement operation. The assumption when a bust this significant as this occurs is a net decrease in overall ransomware attacks given there is one less threat group on the landscape. Unfortunately, cyberattacks are not a zero-sum game. While it is certainly good news that Hive’s network has been disbanded, there isn’t time to celebrate just yet.

Just last June, we reported that the Conti ransomware operation’s leak and negotiation sites were shut down. This was good news as Conti threat actors were responsible for a tremendous amount of devastation. In that same month, we covered how Conti actually reinvented its larger operation into numerous splinter groups, essentially rebranding so the same actors could continue their attacks, just with a different set of indicators.

To get a clearer picture of how the threat landscape expands and contracts with various groups coming and going, let’s take a brief stroll through the birth and death of a threat group.

Hive ransomware first landed on government and cybersecurity experts' radars in mid-2021 with the group initially targeting healthcare systems and providers. Their formation as a ransomware-as-a-service (RaaS) operation allowed their reach to quickly grow and their double-extortion techniques to create fear across the landscape. By the end of 2022, the Russian-based Hive organization cracked the top 5 for most observed ransomware attacks spread across 20 countries. Entities were as worried about Hive operators as Nicholas Cage in Wicker Man.

The ante was upped when Hive upgraded its encryption software to Rust, which made its tools more resilient against antivirus programs and various automated tools. Perhaps coincidentally, perhaps not, this upgrade occurred simultaneously with the FBIs intrusion into the threat group’s network.

After one and a half years of wreaking havoc, Hive was shut down. However, nature abhors a vacuum.

As we’ve seen time over time, where one threat group falls another rises in its place. Reports from Guidepoint indicate that at least one new major ransomware group emerges per month, and that’s amid an already crowded landscape. With the Hive-sized hole recently created by the shutdown of their operations, there is no doubt the space will be quickly filled, or the human actors behind the group will rise like the Dodo bird, if Colossal Biosciences achieves their stated goals.

At SpearTip , we’ve created a cybersecurity solution designed to defend businesses against all manner of threats, including those perpetrated by Hive and whatever emerges in its place. Our ShadowSpear Platform is a fully managed, integrable security toolset combining numerous capabilities all powered by our team of experienced engineers and analysts who helm our 24/7/365 SOC.

While we enjoy these next six weeks of winter, it’s wise to focus on Phil’s other prediction: ransomware groups and the attacks they perpetrate aren’t going away. Because of this unfortunate fact, businesses of all sizes and industries must work continuously to stay ahead of the evolving threat landscape and partner with a cybersecurity firm like SpearTip capable of preventing attacks on your critical data and operations.