In the ever-evolving world of ransomware, it’s getting easier for threat groups to launch attacks – as evidence by the growing number of incidents – but more difficult to make a profit.

Organizations’ cyber-defenses are getting more resilient, decryptors that enable victims to regain control of their data, and law enforcement crackdowns on high-profile cybercrime operations like LockBit, BlackCat, and QakBot played roles in helping to reduce the amount of ransom that targeted companies paid out last year, according to blockchain analysis firm Chainalysis.

That said, the reduced number of ransomware payments is more a battle won by the good guys rather than a victory in the war, the Chainalysis analysts wrote in a report this week.

“At the same time, the diversification of malware strains and services, reinvestment in future attacks, and the ability to quickly adapt and rebrand in the face of adversity speaks to the resilient dynamic nature of threat actors in the ransomware ecosystem,” they wrote.

The disruptions can make an immediate difference, but ransomware-as-a-service (RaaS) groups and their affiliates are persistent, putting into question their lasting effectiveness in the constant cat-and-mouse game of cybersecurity.

“To counter this, a concerted effort involving both the public and private sectors is essential, as is broadening the scope of countermeasures,” the Chainalysis team wrote. “By focusing on the cumulative impact of these disruptions, it is possible to improve the long-term effect of actions targeting ransomware threats.”

Kaspersky, Sophos Weigh In on Ransomware

Chainalysis’ report was just one of several released this week by cybersecurity vendors that showed the ongoing and ever-widening threat that ransomware represents to organizations and the importance of victims bringing in law enforcement when an incident occurs.

Researchers with Kaspersky, in their 2024 State of Ransomware report, ransomware accounted for a third of all incidents last year, with a 30% year-over-year increase in targeted ransomware groups and a 71% jump in known victims.

“Unlike random assaults, these targeted groups set their sights on government agencies, prominent organizations, and specific individuals within enterprises,” they wrote. “As cybercriminals continue to orchestrate sophisticated and extensive attacks, the threat to cybersecurity grows ever more pronounced.”

They also found that bad actors were able to efficiently run large-scale campaigns, understood network vulnerabilities, and used well-known security tools and exploited public-facing vulnerabilities to infiltrate organizations.

In their own State of Ransomware 2024 report, Sophos researchers found that about of the 5,000 cybersecurity and IT leaders worldwide surveyed, 97% of companies hit by ransomware in 2023 engaged law enforcement or government agencies for help in such areas as getting advice for dealing with ransomware or getting help investigating an attack. About 58% of companies whose data was encrypted got help from law enforcement in recovering files.

Disruptions Help, But for How Long?

In their report, the Chainalysis researchers used data from Recorded Future that showed a 70% year-over-year jump in the number of ransomware victims. However, their own numbers showed that attacks where the ransom was paid dropped 46%

They pointed to the law enforcement disruption in August 2023 of the QakBot loader malware operation, which was widely used by ransomware groups like Black Basta, Conti, and REvil to gain access into victims’ networks. Other takedowns included the December 2023 operation against BlackCat – also known as ALPHV – and in February of LockBit. LockBit 3.0 was the most prevalent ransomware in 2023, according to Kaspersky.

“This operation was not merely about shutting down websites: It involved a meticulously planned infiltration that compromised the foundational trust within the LockBit community, significantly undermining LockBit’s operations and leaving its affiliates in disarray,” Chainalysis wrote.

LockBit Leader Identified, Hunted

After the takedown, LockBit’s leader boasted that the group would continue its work, though that may be more difficult this week after the Justice Department (DOJ) identified and charged the LockBit developer and operator, identified as 31-year-old Russian national Dimitry Yuryevich Khoroshev – who went by such names as LockBitSupp and putinkrab – and offered a $10 million reward for information leading to his capture.

The DOJ said LockBit was responsible for attacks against 2,500 victims around the world – including 1,800 in the United States – and taking at least $500 million in ransom payments, with about $100 million going to Khoroshev.

Affiliates Adapt

While law enforcement operations may disrupt RaaS groups, their affiliates will continue to adapt.

“While disruptions lead to operational friction and disarray in ransomware groups, as evidenced by decreased ransomware payments and activities, the ransomware model’s inherent flexibility allows affiliates and members of the ransomware supply chain to pivot to new strategies, including monetizing stolen data from previous victims,” Chainalysis researchers wrote.

They wrote that the increasing number of ransomware strains affiliates are using suggest “a period of experimentation and adaptation aimed at circumventing future disruptions. The enduring challenge lies in the adaptability of ransomware actors. It is relatively low-cost for affiliates to change strains, and they do so with agility.”

Disruptions and partnerships between the public and private sectors illustrate a complex relationship between their immediate impacts and the ongoing adaptability of cybercrime networks, the researchers wrote, adding that drop in ransom payments despite the increase in the number of attacks shows a “growing reluctance of victims to comply with the demands of cybercriminals.”

Chainalysis wrote that a whole-of-government approach should target all parts of the ecosystem – not only the infrastructure of cybercrime groups but also laundering mechanisms – and include arrests, sanctions, asset seizure. Blockchain intelligence tools can help law enforcement counter affiliates’ adaptations, victims reporting incidents to law enforcement can provide intelligence and provide them with decryptors, and public-private partnerships and information sharing also are key.