Countering ransomware: Ransomware gang disruptions do work

Countering ransomware remains one of the top priorities for nations and their law enforcement and intelligence agencies. The persistence of ransomware, which can largely be attributed to its high profits combined with the safe harbor given to ransomware actors in Russia, has evolved into a cybercrime battle with no perfect solution. In many cases, it is not possible to arrest, prosecute or even indict the perpetrators. 

In the face of these challenges, governments are increasingly employing creative ways to exert pressure on threat actors and impose cost upon their operations. Given the transnational nature of this crime and the complexities of mounting technical operations against these groups, law enforcement recognizes the need for cooperation between international agencies and the private sector. Recent operations aim to identify and name perpetrators, disrupt technical infrastructure, make arrests where possible, impose sanctions and seize their cryptocurrency. 

Some of these operations immediately stopped some ransomware groups in their tracks. The impacts of other operations caused a denigration in the capabilities that eventually resulted in the end of their operations. These law enforcement interventions often involve cybercrime specialists from numerous countries working together and are resource intensive. Below are some examples of law enforcement actions that impacted the ransomware ecosystem.

Undermining trust

Ransomware incidents that targeted critical infrastructure — healthcare, energy and food — prompted several nations to classify these attacks as national security threats rather than purely cybercriminal events with financial repercussions. Many nations task their intelligence agencies with finding weaknesses in ransomware gang’s operations. These operations resulted in the takeover and shutdown of ransomware-related infrastructure, repatriation of illicit cryptocurrency profits and the collection of valuable intelligence that allows for better understanding of current and anticipated ransomware activities. 

Law enforcement knows that economic cooperation between cybercriminals is reliant on the reputations of their fellow threat actors and in the operational security around their infrastructure and forums. Creating distrust and uncertainty in this underground economy undermines confidence in the system and undermines their ability to earn a profit. It means a higher risk for malicious actors seeking to partner with ransomware groups, as law enforcement could be collecting messages, identifiers and other intelligence that could threaten their operations and reduce their cash flow.

Identifying perpetrators is hard, but not impossible

Maintaining anonymity is critical for threat actors to operate with impunity. Law enforcement agencies successfully identified ransomware perpetrators through patient and thorough investigative techniques focused on opportunities where threat actors skyline themselves either by mistake, negligence or a dispute with another actor. As an example, United States enforcement unsealed an indictment in May 2024 against Dmitry Yuryevich Khoroshev of Russia. The indictment alleges he is LockBitSupp, the leader of LockBit, one of the most damaging and pervasive ransomware groups.

Disrupting money flows

Ransoms are largely paid in virtual currencies like Bitcoin. Although bitcoin offers a degree of privacy, bitcoin transactions are traceable via its blockchain, or public ledger of transactions. To counter this, cybercriminals try to launder illicit funds via “mixing” services, which purport to obscure traceable paths. To counter this, law enforcement focused their disruption efforts by prosecuting operators of mixers. Focus is placed on cryptocurrency exchanges where bad actors seek to exchange virtual currency for cash. Those administrators are targeted with criminal charges. 

Prosecutions

Although some ransomware perpetrators are unlikely to be prosecuted if they remain in safe harbors, like Russia, arrests have been made. In 2021, an affiliate of the REvil ransomware gang exploited zero-day vulnerabilities in remote-management software developed by the company Kaseya. Increasingly, law enforcement uses indictments as a tool to publicly name identified ransomware operators and place them on alert for international agencies.

Reduce ransoms

Infiltration of ransomware groups results in real-time benefits for organizations that are attacked with file-encrypting malware. Hive was one of the most prolific ransomware-as-a-service (RaaS) groups, with affiliates using its ransomware to execute attacks and extort more than 1,500 victims. For seven months, investigators had clandestine access to Hive’s control panel and database. That enabled investigators to swipe decryption keys without Hive’s knowledge and distribute those keys to 336 victims under attack. This type of action also occurred with two disruption actions in 2024 affecting the LockBit ransomware group. By infiltrating LockBit’s infrastructure, the FBI and other law enforcement partners recovered more than 7,000 decryption keys, which can be distributed to organizations that are still recovering. 

Continuing the ransomware fight 

Ransomware remains one of the most prevalent and dangerous cyber threats facing organizations. The trends are discouraging: ransomware victims paid more than $1 billion in ransoms in 2023, a record high. We should be under no illusions that a single tactic is going to erase this type of crime. Threat actors are known to respond to public and law enforcement scrutiny by regrouping, rebranding, and starting new ransomware operations under new names. 

While law enforcement action may deter some threat actors, others will continue to engage in ransomware unphased. But these actions do impose costs, both psychological and financial. Past law enforcement actions against groups including ALPHV, Hive, Ragnar Locker, REvil and NetWalker have resulted in complete or partial closure of the group’s operations. LockBit, one of the most prominent ransomware groups, continues to operate after two disruptions in 2024. However, the group is running at a diminished capacity compared to years prior. There is a return-on-investment for disruption actions even if the ultimate goal — a cessation of this type of crime — may remain elusive. The fight must continue.