Ransomware never goes away, nor do the groups that use the data-locking malware in attacks. Despite multiple initiatives, sanctions, and attempts by law enforcement to make arrests, ransomware groups are springing back like boomerangs, rebranding and reforming under different names.
There are numerous examples of it happening, and it’s unsurprising. Constantly changing their name and adjusting their operations makes cyber criminals much more difficult to catch.
This has been the strategy behind the transformation of groups such as Darkside – which rebranded after a devastating attack on the US Colonial Pipeline – and EvilCorp, the notorious ransomware operation that re-formed to escape sanctions.
Tim Mitchell, senior security researcher at Secureworks, says the principal reason for a rebrand is to evade law enforcement and sanctions.
Rebranding ensures victims can still pay, which is essential to keep the ransomware business model thriving. “When law enforcement sanctions a specific group, it effectively makes paying a ransom to that group illegal in the US,” Mitchell says. “This will have a huge impact on its ability to profit from ransomware attacks.”
“Those who successfully evade capture often join other groups or start a new ransomware operation under a different name” Hannah Baumgaertner
Groups also rebrand to avoid law enforcement interest. Mitchell cites the example of the Darkside attack on Colonial Pipeline. “It had such a devastating impact on critical infrastructure that the group would have been put in the crosshairs of the FBI and other agencies. So they shuttered the operation and rebranded as BlackMatter – which later became BlackCat.”
Increased attention often results in law enforcement action against a group, with infrastructure takedown and member arrests. “Those who successfully evade capture often join other groups or start a new ransomware operation under a different name but use similar malicious code for their payloads,” says Hannah Baumgaertner, head of research at Silobreaker.
Sometimes, groups rebrand or reform due to internal conflicts. Ransomware groups often include disgruntled employees, who might make off with the code and form their own operation. Affiliates can break away from groups and take on ransomware source code to effectively rebrand, says Mitchell. For example, he says, “We believe that the REvil ransomware operators (GOLD SOUTHFIELD) were former affiliates of the Gandcrab ransomware operation”.
Like any worthy business, ransomware operators’ reputation is important. Many groups heavily depend on their reputation to pressure victims into paying, says Shobhit Gautam, staff solutions architect, EMEA at HackerOne. “If a group gains a reputation for being ruthless or untrustworthy, they may choose to rebrand to build a positive image.”
A group could also rebrand if it alters its attack methods or target types, signalling a new chapter for its operations.
Rebrands are effective because they make things more difficult for law enforcement and threat hunters trying to pin them down. Part of the issue is that most core members are not located in the US and operate from countries with minimal law enforcement capability, says Vincent D’Agostino, head of digital forensics and incident response at BlueVoyant.
Many current ransomware groups are suspected to be based in Russia, says Baumgaertner. “Russia has been accused of enabling a safe haven for ransomware hackers as law enforcement actions against any members are rarely seen.”
“If a group gains a reputation for being ruthless or untrustworthy, they may choose to rebrand to build a positive image” Shobhit Gautam
For researchers, this makes keeping track of the different gangs difficult, as there are constantly new ones emerging, says Baumgaertner.
In addition, many of the supposedly new ransomware operations are later found to rely heavily on the code of other known ransomware strains. She says this makes it difficult to determine whether groups are new, rebranding or regrouping.
Ransomware rebrands are undoubtedly interesting. However, whether a ransomware group goes by one name or another is irrelevant to businesses. What’s more important is keeping up to date with the latest trends in tactics and techniques used by different groups and the commonly targeted industries, says Baumgaertner.
“Some groups rely on initial access brokers selling access to networks online. Therefore, businesses should secure all their external facing networks properly to prevent successful infiltration.”
Other groups may prefer to exploit vulnerabilities in public-facing systems. This makes it important to ensure you are always running the latest and most secure software version, says Baumgaertner.
She also highlights the importance of regular backups and a strong security posture, including multi-factor authentication and staff training to help safeguard against ransomware. “This will ensure businesses can more easily defend against an intrusion and get their systems back up and running at a faster pace.”
After the 2021 high-profile attack on Colonial Pipeline, which disrupted services for six days, DarkSide disappeared and re-emerged as BlackCat. Soon after the pipeline attack, someone seized DarkSide’s servers and drained cryptocurrency funds from its accounts. Then, a member of the REvil operation posted a message on a cyber crime forum announcing DarkSide’s retirement, according to KrebsonSecurity.
BlackCat first appeared in November 2021, and in February 2022, the ransomware gang confirmed it was comprised of former members of the DarkSide operation. Kennet Harpsoe, lead security researcher at Logpoint, says the rebrand allowed the group to distance itself from “intense scrutiny” following the Colonial Pipeline incident while continuing its criminal activities.
The Russia-affiliated group Ryuk first emerged in August 2018 and gained notoriety in 2019 for demanding multi-million dollar ransoms from companies, hospitals, and local governments. With law enforcement on its back, it apparently rebranded as Conti in 2020. This new iteration employed more aggressive tactics and took aim at larger organisations, says Harpsoe.
In 2022, Conti rebranded again after the attack on the Costa Rican government and the Conti News data leak. Now, the group seems to have splintered into Karakurt and BlackByte, among others, says Harpsoe.
Well-known ransomware group EvilCorp rebranded in 2021 to escape US sanctions that would stop it from being paid. Following sanctions against members, the group rebranded from BitPaymer to WastedLocker and made further changes over the next year. “We think GOLD DRAKE actually ended up as an affiliate of LockBit, which prompted the administrator to issue a denial on their leak site,” Mitchell says.
Another ransomware gang that rebranded to possibly avoid law enforcement fallout is the Royal ransomware gang, which rebranded after a high-profile attack on the city of Dallas in May 2023. Soon, reports emerged that the group was rebranding to BlackSuit, but it’s unclear what happened. Royal has continued to launch attacks, and the group has named more victims Royal than BlackSuit—although attacks under the latter moniker have recently picked up, says Mitchell.
The infamous ransomware group DoppelPaymer has been active since 2019. Known for its sophisticated attacks on healthcare and education, it has been active since then. In mid-2021, after sustained efforts by investigators and cybersecurity firms to dismantle DoppelPaymer’s operations, a new ransomware strain called Grief surfaced. This strain showed significant similarities with DoppelPaymer, says Sergei Serdyuk, VP of Product Management at NAKIVO.
In 2019, Maze emerged as ransomware targeting Windows-based operating systems in numerous industries. The ransomware would compromise and lock up data, often demanding a Bitcoin ransom payment for its release. “Although Maze creators reported a self-shutdown in 2020, successor Egregor ransomware soon emerged to take its place,” says Serdyuk. “This seems like a tactic to dodge security threat hunters and continue operations with a new identity, maintaining their influence in the cyber criminal underworld and lowering the risk of capture.”