How many ransomware threat groups have become household names over the last decade?
The answer, surprisingly, is none. Ransomware groups typically spring from nowhere, achieve a degree of notoriety, then disappear just as suddenly, never to be heard of again.
None has stuck around long enough to achieve much name recognition. At best, it’s been 15 minutes of fame before a new group replaces them as Public Enemy No. 1.
The intriguing question is why they are so short-lived compared to, say, to nation-state threat groups which seem able to sustain activity over many years.
Evidence of the short lifespan of even the biggest ransomware groups emerges in the latest IBM Security 2022 X-Force Threat Intelligence Index. In the four years to 2021, this reveals that the average time ransomware groups remained active was 17 months, with even the most successful names barely staying in the game for two years.
Longer-lived groups included Hermes, Ryuk, DoppelPaymer, and REvil, while other highly active and successful groups such as NetWalker barely lasted a year.
IBM’s explanation is that the end of life for a ransomware group is rather like a magician who decides to end their stage act by disappearing in a puff of smoke.
“X-Force is aware of many ransomware actors that have rebranded and continued operations under new names, with GandCrab to REvil, Maze to Egregor, and DoppelPaymer to Grief as examples,” says the report.
The groups aren’t disappearing, then, so much as rebranding themselves, tearing down their operation before moving on to a new identity.
This has been the pattern from the early days of organized cybercrime, and ransomware has simply perfected the acts of disappearing and reappearing.
Ransomware brands used to be identified by the malware used in the infection—for example, CryptoLocker and its many imitators such as CryptoWall and TeslaCrypt.
As the malware became more similar, this approach became less meaningful and security companies shifted towards identifying ransomware by naming individual threat groups and the criminal platforms used as part of ransomware-as -a-service (RaaS).
This should have made it easier to track ransomware groups across time, until something surprising became apparent: ransomware groups weren’t lasting long. By the time they were given a name, their days were probably numbered.
Constantly tearing down a malware platform and reforming it sounds like a stressful way to do business, but it has advantages. The first is that it helps evade and confuse police or researchers that might be tracking them under an older identity. It might also divert defenders that get used to a named enemy and modus operandi, only for this to disappear.
But it’s also possible that the short life of cybercrime operations is designed as a form of protection. A good example of why this matters arrived in late February, when a Twitter account called ContiLeaks leaked a large volume of internal logs related to the Conti ransomware gang’s activity.
This cache blew the lid on the group’s organization, its internal communication, and even how the group hires programmers through legitimate recruitment websites in Russia.
Presumably the Conti group has been fatally compromised by this incident—more reason for its managers to set up somewhere else under a new name. It’s just that this time Conti got its timing wrong and was reportedly undone by disagreements within the group over the Russian invasion of Ukraine. Every business is subject to external events and changes in the market. Almost all go out of business eventually or are taken over. A few, the lucky ones, turn into completely different organizations over time. Ransomware threat groups look like a strangely accelerated version of this natural process.