Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters, and Lapsus$, announced they are shutting down operations through a collective statement posted on Breachforums.
What happened
Fifteen well-known ransomware groups made a joint announcement on Breachforums declaring the end of their operations. The groups, which include some of the most notorious names in recent cybercrime history such as Scattered Spider, ShinyHunters, and Lapsus$, claimed they had achieved their stated goals of exposing weaknesses in digital infrastructure rather than pursuing profit through extortion. The collective statement indicated that some members plan to retire using accumulated funds, while others intend to continue studying and improving systems in silence. The announcement also addressed members currently in custody, vowing to work toward their release and hinting at potential retaliation against law enforcement.
Going deeper
The announcement included more than a dozen factions tied to high-profile breaches of corporations, governments, and service providers. The groups struck a defiant tone in their statement, specifically addressing concerns about their disappearance and indicating that members would either enjoy "golden parachutes with the millions the group accumulated" or continue their work covertly. The statement also contained threats regarding incarcerated members, suggesting ongoing loyalty and potential future actions against law enforcement agencies that pursued them.
What was said
The ransomware groups stated in their announcement: "If you worry about us, don't … [we] will enjoy our golden parachutes with the millions the group accumulated. Others will keep on studying and improving [the] systems you use in your daily lives. In silence."
Nivedita Murthy, senior staff consultant at Black Duck, said: "Organizations should take these announcements with a pinch of salt. It could be possible that some of these groups may have decided to step back and enjoy their payday, [but] it does not stop copycat groups from rising up and taking their place."
James Maude, field CTO at BeyondTrust, noted: "Cybercrime groups have a bit of a history when it comes to retiring that is often no more than the equivalent of lying low while the heat is on. Back in 2019, the GandCrab crew announced they were retiring after earning more than $2bn [...] A few months later, REvil ransomware appeared bearing all the hallmarks of the GandCrab crew."
Casey Ellis, founder at Bugcrowd, said: "It's safest to consider this announcement as more of a PR stunt than a genuine farewell. Historically, cybercriminals rarely retire in the traditional sense. Instead, they rebrand, regroup or pivot to new tactics and operations, or they get caught."
Dave Tyson, partner of intelligence operations at iCOUNTER, stated: "It's never retirement, it's simply part of the normal lifecycle of criminality. Groups come together for specific purposes, form into units to execute their plans and exit the definable identity to lower the focus on that collective or unit."
In the know
Ransomware groups typically operate by encrypting victims' data and demanding payment for decryption keys, often using double-extortion tactics where they steal data before encryption and threaten to release it publicly if demands aren't met.
Why it matters
The simultaneous nature of these "retirement" announcements, combined with historical precedent of cybercriminal groups rebranding rather than truly retiring, suggests this may be a strategic move to reduce law enforcement pressure while maintaining operational capabilities under new identities. For healthcare organizations that have been frequent targets of these specific groups, this said retirement could quickly be filled by emerging or rebranding criminal organizations, potentially with new tactics and approaches that existing security measures may not anticipate.
FAQs
Why would ransomware groups publicly announce a shutdown instead of disappearing quietly?
Public announcements can reduce law enforcement pressure and create uncertainty while groups regroup or rebrand.
Could members of these groups resurface under different names?
Yes, cybercriminal groups often rebrand or reorganize to avoid tracking while continuing operations.
What risks remain for healthcare organizations despite these shutdown claims?
Healthcare remains a prime target, and copycat or successor groups are likely to exploit the same weaknesses.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
