Law Enforcement Takedowns Force Ransomware Affiliates to Diversify

The recent wave of law enforcement operations against ransomware gangs led to short-term decreased ransomware payments and activities, forcing ransomware affiliates to diversify.

This is one of the findings of a new report by dark web research firm Chainalysis, published during the RSA Conference on May 6.

In the report, Chainalysis recorded evidence of a decrease in ransomware operations’ profitability following recent law enforcement takedowns against ransomware groups, such as QakBot, ALPHV/BlackCat and LockBit.

However, it also found that the persistence of ransomware affiliates challenges the lasting effectiveness of these measures.

The primary way these affiliate groups used to stay profitable is to diversify the groups they work with.

Chainalysis found that ransomware affiliates have used more ransomware strains during the first two quarters of 2024 than in previous periods in 2023.

“This might signify that affiliates exposed to disruption are testing out new strains, pivoting away from the strains that were disrupted, or perhaps going out on their own,” Chainalysis noted.

The firm added that since pivoting is relatively easy and low-cost for ransomware affiliates, law enforcement could emphasize actions that increase the perceived risks, distrust and operational downtime for affiliates in order to create a longer-lasting impact on their activities.