In December 2023 the US Justice Department announced that they had disrupted operations of ALPHV/Blackcat, a ransomware group that was responsible for many of the most prolific attacks in 2023. ALPHV/Blackcat fought to continue their operations up until March 2024, at which point they closed shop, allegedly stealing extortion money “earned” by their affiliates while claiming that the Feds had shut them down again. It is true, there is no honor among thieves.
Meanwhile, in February 2024 a consortium of international law enforcement agencies announced that they had infiltrated LockBit systems, obtained critical data, took control of the systems, and ultimately locked LockBit out of their own systems. The agencies also claimed to have gathered information regarding the 194 affiliates who worked with LockBit to deploy their ransomware into organizations.
The 2 attacks eliminated the gangs that were responsible for almost 30% of 2023 ransomware attacks, and the beginning of 2024 has as a result seen a large decline in ransomware cases so far. Meanwhile, law enforcement is not slowing down. This week, the real identity of the man responsible for LockBit was widely publicized as a Russian national named Dmitry Yuryevich Khoroshev. Dmitri has now been sanctioned by several governments (including the US). Since Dmitry also collected a reported $500 million in ransom payments tax-free, there is some speculation that the Russian government will now be after Dmitry to collect their fair share and that he will not get to enjoy his plunder much longer.
Ransomware has been hard to fight because the perpetrators are often located in countries that protect them. The above events, along with some smaller events in 2023, show that law enforcement is finally figuring out how to counter ransomware by:
- Infiltrating their organizations. Since large ransomware organizations work anonymously and do not know who they are working with, they now need to be fearful that those they trust are really Feds. This may slow down the growth of these organizations or splinter them whenever somebody gets suspicious.
- Making keys available to victims. In some cases, law enforcement working within the ransomware organizations was able to leak keys to victims of the gangs. With potential ransom payments of millions of dollars per victim, this cuts into the profits of the ransomware operators.
- Making it personal. By publicizing those responsible for ransomware, law enforcement may be making life hard on them even though the criminals are out of their jurisdiction. When you live in a country where crime is tolerated and your neighbors read that you stole millions of dollars, you will likely now be a target of criminals as well as tax collectors within your own country.
So, is ransomware dying? It is too early yet to tell if the new tactics being used by law enforcement will continue to be effective, but we can hope they create enough barriers that those who are considering a career in ransomware will be dissuaded into selecting other occupations.