Freely subscribe to our NEWSLETTER

“Cybersecurity is always a game of cat-and-mouse, especially when dealing with mature threat actor groups. Much like those defending and hunting for threats, the threat actors themselves also have talented and innovative engineers working to outpace and outwit our capabilities to prevent, detect, and evict. The takedown of Emotet was a sophisticated operation of law enforcement from multiple countries that took a significant amount of time and money to execute. While the takedown was a win, it didn’t fully eradicate the group or the threat, and it’s not often possible to put that level of investment towards every group.

What we can learn from the takedowns of previous groups is that while they may be sophisticated, they are not immune to making mistakes. This is why threat intelligence and forensics are so important to law enforcement for tracking a group’s behavior. Eventually, mistakes can be made that lead to exposure and opportunities for arrest.

Additionally, when part of a group is taken down, the surviving members often regroup or spin off into new organizations. Much like a family tree, similar code and tactics, techniques, and procedures may survive into the new generation and help security researchers and defenders prepare. This was the case with Emotet which reappeared with some changes to their malware in 2022. Sophisticated, experienced groups like this will regroup, make some improvements to their infrastructure, and get back on the attack. They will have lessons learned so they can be more effective going forward, but they won’t 100% reinvent themselves.

In the months to come, we can expect to see more multi-extortion campaigns. Gone are the days where ransomware sought to only encrypt your files in exchange for cryptocurrency payments. Recent statistics suggest that overall ransomware revenue fell 40% between 2021 and 2022 with organizations leveraging effective backups and incident management procedures to resume business operations without paying. Ransomware groups are well-experienced in adapting and overcoming obstacles to profit, though. Organizations compromised today may see industrial espionage or theft of intellectual property or customer data. This data can later be held for additional ransom or sold to a third party. Global economic uncertainty and rising costs may contribute to an uptick in those entering the market, and the ransomware-as-a-service model makes it relatively low barrier to entry for new and novice players. Fortunately, the subscribers to RaaS operations are using very similar TTPs, and the golden advice of asset visibility, patch management, credential hygiene, and multi-factor authentication is a strong base of protection.”