Persisting durability of cyber group eliminations
In recent developments, international law enforcement agencies have been actively taking down cyber crime groups, with the Veeam report indicating a 104% increase in average ransom payments to these groups, now averaging $1.13 million. This surge in payments is reflected in the median payment, which has doubled to $400,000.
One such operation was the Zservers takedown, a success for law enforcement. However, it's important to note that hackers often continue to operate even after a group has been taken down, reemerging under new sites, servers, or with a fresh coat of paint.
Europol's recent takedown of 200 malicious domains and 600 servers associated with Cobalt Strike resulted in a significant decrease in the misuse of the Cobalt Strike tool, with its usage dropping by 80%. Yet, the misuse did not cease entirely, highlighting the resilience of these groups.
The misuse of ransomware has evolved, with some groups now preferring extortion without encryption, making traditional detection and mitigation strategies more complex. Groups also employ sophisticated evasion tactics, such as internal surveillance of incident response communications and the use of fake online identities, making them harder to track and eliminate.
Despite the high stakes, enterprises are showing a stronger approach, with some refusing to pay ransom and implementing more robust backup and recovery systems. In fact, ransomware victims are refusing to pay up, with only 17% of enterprises having paid ransom so far in 2025.
These takedowns serve as PR moves to demonstrate that cyber crime doesn't always pay and the seriousness with which law enforcement approaches these crimes. However, they are not a final solution. The industry must adopt a comprehensive, adaptive security posture and invest in resilience, detection, and prevention.
A more proactive, layered, and sustained cybersecurity approach is needed. This includes rigorous vulnerability management, advanced threat detection and behavioral analytics, continuous threat hunting and red teaming, enhancing identity verification, and restricting lateral movement within networks. Collaboration across public and private sectors, legislative and technological innovation are also crucial to address fast-adapting threats holistically.
Rebranding and code reuse are common practices among cybercriminal groups, with groups often recycling ransomware codebases or reemerging using leaked source code. The threat landscape is dynamic, and the industry must be prepared to adapt and evolve its strategies accordingly.
Despite the challenges, it's encouraging to see enterprises taking a stronger stance against ransomware attacks. The industry must continue to invest in cybersecurity, recognising the persistence and agility of cybercrime groups in reemerging and evolving.
- In the realm of technology, a growing trend among cybercriminal groups involves rebranding and code reuse, with groups recycling ransomware codebases or reemerging using leaked source code, demonstrating the dynamic threat landscape.
- Podcasts discussing cybersecurity have been increasingly informative, addressing the evolving tactics employed by cybercriminals, such as extortion without encryption and the use of internal surveillance, to make them harder to track.
- As the misuse of ransomware has escalated, general-news outlets have been covering the resilience of these groups, reminding the public that although law enforcement has succeeded in taking down several cyber crime groups, the criminals often continue to operate under new identities or sites.
