Ransomware gangs are a serious global threat to companies, government agencies and critical infrastructure, with their actions leading to everything from minor inconveniences to major international crises.

They often have periods of activity and inactivity; their operations are not always continuous. This article will look at five factors that contribute to this cyclical pattern and why ransomware gangs go dormant and discuss what these groups do when they have some free time.

One of the primary reasons ransomware gangs go dormant is due to pressure from law enforcement agencies worldwide. High-profile takedowns, arrests, and sanctions can force these groups into hiding. For instance, the takedown of the Emotet botnet in early 2021 by international law enforcement demonstrated the effectiveness of coordinated efforts against cybercrime infrastructure in general.

After a period of dormancy, during which they may reorganize, establish new operational security measures, or even wait for law enforcement attention to wane, these groups often re-emerge under new names or affiliations. The re-emergence of REvil ransomware, after key members were arrested, highlights how these groups can return even after significant law enforcement actions.

Ransomware gangs often go dormant to rebrand and evade detection. This strategy allows them to escape the scrutiny and countermeasures developed by cybersecurity researchers and law enforcement.

By going quiet, they can refine their tactics, and come back with a different name or modus operandi, making it harder for their previous activities to be traced back to them. The transition from GandCrab to REvil is a notable example, where members of the former group started the latter, effectively continuing their operations under a new banner. This rebranding strategy complicates efforts to track and counteract these groups, as it requires adaptation from cybersecurity professionals.

Ransomware gangs operate with the primary motive of financial gain. Going dormant can be a strategic decision to maximize profits while minimizing risks. During active phases, these groups accumulate wealth through successful ransom operations. However, continuous operation increases the risk of detection, infiltration by law enforcement, or countermeasures by cybersecurity firms.

By going dormant, they can lay low, invest their ill-gotten gains, and plan future attacks with a lower risk profile. This period also allows them to assess the cybersecurity landscape, identify new vulnerabilities, and tailor their next wave of attacks for maximum impact and profit.

The internal dynamics of ransomware gangs can also lead to periods of dormancy. Leadership disputes, changes in membership, or shifts in strategic direction can temporarily halt operations. The affiliate model used by many ransomware gangs, where sole hackers or groups use the ransomware tools developed by a core team for a share of the profits, can lead to changes in affiliations and partnerships.

These periods of restructuring can be important for maintaining the effectiveness and cohesion of the group. When they re-emerge, they may have new affiliates, targets, and tactics that reflect the outcomes of their internal changes.

Finally, ransomware gangs may go dormant to focus on the development of new tools and techniques. As cybersecurity defenses evolve, so must the tactics of these cybercriminals.

Dormant periods can be used for research and development, creating more sophisticated ransomware, exploring new methods of infiltration, and testing their creations to ensure they can bypass modern security measures.

The emergence of ransomware strains that exploit novel vulnerabilities or employ advanced evasion techniques often follows these quiet phases, signaling that the group has been hard at work enhancing their arsenal and methodology.

As we navigate the threat landscape, it becomes clear that reactive measures are insufficient. The cyclical nature of ransomware gang activity, from dormancy to resurgence, emphasizes the need for a proactive and comprehensive cybersecurity strategy.

BlackFog, provides a solution with a focus on preventing data exfiltration with ADX technology. This next generation cybersecurity solution has been designed to help organizations protect themselves from ransomware attacks and extortion 24/7, without the need for human intervention. Don’t wait for the next ransomware attack wave; take proactive action now and secure your most valuable asset.

Learn how our solutions can strengthen your cybersecurity posture and prevent ransomware incidents.