It is always great to know when ransomware gangs are forced to dissolve, their illegally earned money is seized from them, and servers shut down. However, the latest trend followed by ransomware gangs to avoid such outcomes includes a lot of renaming and subsequent incarnations.
What’s going on?
Reinvention is a crucial survival skill in the threat landscape. The primary motive of this technique is to temporarily distract investigators or throw them in another direction. Threat actors, especially ransomware gangs, like to disappear when the going gets tough.
Recent revamps
- After attacking Colonial Pipeline and wreaking massive havoc, the DarkSide ransomware gang disappeared. Similarly, even the REvil gang announced folding and hasn’t been back yet. However, a new ransomware named BlackMatter popped up. The gang possesses characteristics of both DarkSide and REvil.
- Another ransomware—Grief—has emerged in the cybercrime landscape. It was nobody except for the same old DoppelPaymer gang. While the attackers tried to rebrand Grief as a new ransomware-as-a-service, researchers have spotted connections between the two.
- WastedLocker, another ransomware family connected with Dridex and Indrik Spider, has been rebranded multiple times since 2019.
Why reinvent?
This starts with Gandcrab. REvil acquired Gandcrab’s affiliates upon the latter’s retirement. That’s when the trend of reinvention took traction. Ransomware groups often rebrand as it enables them to reboot, lay down ground rules, and payment agreements for affiliates. Moreover, reinvention allows cybercriminals to evade law enforcement because of the disparate nature of such techniques.
The bottom line
The ransomware epidemic has spread wide and far and methods to disrupt these activities heavily rely on the capability to identify and indict a handful of threat actors who wear many faces. Researchers and governments are undertaking several efforts into place to apprehend these gangs and control the proliferation of cybercriminals.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_477881215.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/192d_shutterstock_1678284103.jpg)
