Six days before Christmas, the US Department of Justice loudly announced a win in the ongoing fight against the scourge of ransomware: An FBI-led, international operation had targeted the notorious hacking group known as BlackCat or AlphV, releasing decryption keys to foil its ransom attempts against hundreds of victims and seizing the dark web sites it had used to threaten and extort them. “In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” deputy attorney general Lisa Monaco declared in a statement.
Two months and one week later, however, those hackers don't appear particularly “disrupted.” For the last seven days and counting, BlackCat has held hostage the medical firm Change Healthcare, crippling its software in hospitals and pharmacies across the United States, leading to delays in drug prescriptions for an untold number of patients.
The ongoing outage at Change Healthcare, first reported to be a BlackCat attack by Reuters, represents a particularly grim incident in the ransomware epidemic not just due to its severity, its length, and the potential toll on victims' health. Ransomware-tracking analysts say it also illustrates how even law enforcement's wins against ransomware groups appear to be increasingly short-lived, as the hackers that law enforcement target in carefully coordinated busts simply rebuild and restart their attacks with impunity.
“Because we can't arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can't stop them,” says Allan Liska, a ransomware-focused researcher for cybersecurity firm Recorded Future. Instead, Liska says, law enforcement often has had to settle for spending months or years arranging takedowns that target infrastructure or aid victims, but without laying hands on the attacks' perpetrators. “The threat actors just need to regroup, get drunk for a weekend, and then start right back up,” Liska says.
In another, more recent bust, the UK's National Crime Agency last week led a broad takedown effort against the notorious Lockbit ransomware group, hijacking its infrastructure, seizing many of its cryptocurrency wallets, taking down its dark web sites, and even obtaining information about its operators and partners. Yet less than a week later, Lockbit has already launched a fresh dark web site where it continues to extort its victims, showing countdown timers for each one that indicate the remaining days or hours before it dumps their stolen data online.
None of that means law enforcement's BlackCat or Lockbit operations haven't had some effect. BlackCat listed 28 victims on its dark web site for February so far, a significant drop from the 60-plus Recorded Future counted on its site in December prior to the FBI's takedown. (Change Healthcare isn't currently listed among BlackCat's current victims on its site, though the hackers reportedly took credit for the attack, according to ransomware-tracking site Breaches.net. Change Healthcare also didn't respond to WIRED's request for comment on the cyberattack.)
Lockbit, for its part, may be hiding the extent of its disruption behind the bluster of its new leak site, argues Brett Callow, a ransomware analyst at security firm Emsisoft. He says that the group is likely downplaying last week's bust in part to avoid losing the trust of its affiliate partners, the hackers who penetrate victim networks on Lockbit's behalf and might be spooked by the possibility that Lockbit has been compromised by law enforcement.
Nonetheless, Callow says, ransomware actors “do seem to be bouncing back faster.” That's only to be expected, he argues, when the hackers aren't in custody and the money to be made provides the resources and the incentive to simply get back to work, even after seizures or disruptions. In 2023, he notes, cryptocurrency tracing firm Chainalysis pegged total ransoms paid by victims at a record-breaking $1.1 billion. “It's inevitable that groups are going to try harder to maintain their share of that massively profitable industry,” Callow says.
When the FBI targeted BlackCat in December, for instance, the group immediately posted on a newly launched dark web site a message to its partners, promising a higher rate of payment and removing all restrictions on potential victims, other than those in the former Soviet Union, a typical rule for Russia-based cybercriminals. The message suggested its affiliate hackers could now target “hospitals, nuclear power plants, anything and anywhere.” (In fact, the rule change was at least in part a scare tactic, says Recorded Future's Liska—BlackCat had targeted hospitals before.)
Ransomware groups' quick recoveries from recent law enforcement operations contrast with earlier cases when actual arrests were made—almost always arrests of ransomware group members or partners outside of Russia. Those cases, like the arrest of a suspect in Florida who was allegedly associated with the Scattered Spider group that targeted MGM Casinos last year, had far more permanent effects.
Even some past takedowns that didn't include arrests, however, have put longer-lasting dents in the ransomware economy. The FBI's hijacking of infrastructure belonging to the Hive ransomware group early last year led to a nearly year-long disappearance of the group before it resurfaced under the name Hunters International, says Jackie Burns Koven, Chainalysis's head of cyber threat intelligence. Chainalysis estimates the Hive operation averted more than $210 million in total ransoms paid.
Ransomware groups may be rebuilding faster over time in part due to the increasing sophistication of the ransomware economy, Burns Koven says. Hackers who have been targeted in disruption operations can now quickly purchase access to malware or other tools, crime-friendly hosting providers, or even buy their way into breached organizations from other hackers who act as “access brokers.” But Burns Koven also notes that law enforcement operations help to degrade that economy by creating divisions between hackers. In the wake of the Lockbit takedown, for instance, the cybercriminal marketplace Breached Forum banned the sale of ransomware tools and services in an apparent attempt to avoid law enforcement's scrutiny. “What these operations do is degrade trust among members and cause operational friction,” she says.
All of that suggests that law enforcement disruption campaigns serve a purpose. But they won't solve the ransomware problem on their own, argues Emsisoft's Callow. The larger solution, he says, will have to include improved security for potential victim organizations, sanctions on ransomware actors and those associated with them, tighter regulations on cryptocurrency, and perhaps even laws banning ransomware payments—a controversial proposal.
“Disruption efforts alone aren’t likely to represent a solution to the ransomware problem. Rather, they need to be part of a multi-pronged strategy,” says Callow. “Tightening the screws on every single bit of the ransomware ecosystem.”
