Are Law Enforcement Crackdowns Fueling a Ransomware Gang War?

Why Trust Techopedia

The FBI’s enforcement actions in coordination with CISA and international partners against cyber crime operations seem to be changing how ransomware gangs operate.

Techopedia sats with leading cybersecurity experts to understand how power vacuums work in the illicit industry, how law enforcement actions reshape the dark web, and whether there will ever be an end to ransomware.

Key Takeaways

  • The FBI, CISA, and international law enforcement agencies have leveled up their actions, disrupting major ransomware networks and operations.
  • LockBit and BlackCat – two of the most prolific ransomware gangs — have either been dismantled or driven underground.
  • Experts are detecting increased ransomware activity from gangs that are trying to fill the power vacuum left by BlackCat and LockBit.
  • Cybersecurity organizations have also detected new partnerships among ransomware gangs that build upon the strength of the Five Families criminal syndicate.
  • Experts debate about new techniques in use, new and old players, and why the end of ransomware is no way near.

Ransomware Gangs Partnering Up

While major ransomware players go down, including Lockbit — recently dismantled — and BlackCat (ALPHV) going underground due to FBI heat, other ransomware operators are seizing the moment.

The GhostSec and Stormous groups, who have collaborated in double extortion attacks in the past, are now thought to have partnered up. However, the move signals to a bigger scheme and threat rapidly approaching on the horizon.

Malware and Ransomware-As-A-Service Creates Connections

Richard Caralli, Senior Cybersecurity Advisor at Axio, a SaaS-cyber risk quantification solutions company, explained why ransomware gangs are partnering up and what type of partnership they forge.

“The similarity of attacks and attack methods exhibited in the recent Clorox, MGM, and Caesars intrusions would at least anecdotally imply that there is coordination between ransomware gangs, particularly in the trading of tools, techniques, and methods.”

Caralli explained that the black market for ransomware-as-a-service and malware-as-a-service lowers the technical bar for bad actors and increases accessibility — and also leads to collaboration.


Partnering up is a common strategy, but on the Dark Web, being on the same team does not necessarily mean the same thing as it does for everyone, Caralli explained.

“The proliferation of ransomware-as-a-service is a connecting feature, if only by virtue of the degree to which many gangs use similar malware in their attack vectors,” Caralli said.

“In this case, ‘teaming up’ may be less intentional and more related to the burgeoning underground trade of malware and exfiltrated data.”

The Power Vacuum in the Ransomware Industry

Like in any other criminal environment, when top players are removed from the ransomware frontline, the power vacuum may lead to new leadership or established groups taking over. Caralli from Axio explained just how big a vacuum BlackCat is leaving.

“In 2024, the most noteworthy attacks appear to be executed by the ALPHV/BlackCat gang, particularly against high-value targets,” Caralli said.

In addition to notable attacks against MGM and Henry Schein, they are implicated in the Prudential Financial, Change Healthcare, and Loan Depot attacks so far this year.

“BlackCat operates as a ransomware-as-a-service model, so it is likely that other attack gangs have access to and have used their malware in similar attacks, possibly on lower value targets.”

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, also spoke to Techopedia about the issue.

“The collaboration between the GhostSec and Stormous groups marks a significant evolution in the ransomware landscape, reflecting a tactical shift in how cybercriminals operate to enhance their effectiveness and resilience against law enforcement actions.”

Malik explained that gangs are teaming up to pool resources, share knowledge, and diversify their attack techniques. “This collaboration allows them to target more victims more efficiently and evade detection and countermeasures more effectively,” Malik said.

“Law enforcement actions, such as those disrupting LockBit operations, create a power vacuum within the cybercriminal ecosystem. Other groups see this as an opportunity to ascend in prominence and fill the gap left behind.”

Malik said this can lead to a surge in activity as emerging groups attempt to establish dominance and prove themselves, often innovating to avoid their predecessors’ fates.

The Five Families: The Cybercriminal Syndicate That Runs The Show

The new collaboration between GhostSec and Stormous is not new, in fact, it is built upon a larger partnership: the Five Families.

Ngoc Bui, Security Expert at Menlo Security, described the new partnership as the tip of the iceberg.

“This merger is merely the tip of the iceberg, as these gangs are integral components of a larger, newly formed Five Families.”

Bui explained that this criminal alliance further strengthens the group’s operational capabilities.

“Before the LockBit saga and the FBI’s involvement, rumors popped up regarding LockBit’s potential induction into the Five Families, though the extent of this integration remains unknown.”

Created and openly announced on Telegram and hacker forums in 2023, the Five Families includes five hacker groups. ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec.

The name Five Families not only refers to the 1950s New York mafia families but also teases the famous “Five Eyes” intelligence alliance — U.S., U.K., Canada, Australia, and New Zealand.

Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber, said it was no surprise to see GhostSec and Stormus partnering up.

“Given that GhostSec and Stormous are part of a group known as the Five Families, it makes sense that they would work together.”

Is The New Five Families RaaS Taking Over?

The Five Families have conducted joint-cybercriminal Pro-Palestine operations and breached organizations around the world, introducing the GhostLocker ransomware. Now, CISO assures that GhostSec has evolved with a new GhostLocker 2.0 ransomware and describes it as “a Golang variant of the GhostLocker ransomware”.

They announced a new ransomware-as-a-service (RaaS). With Lockbit and BlackCat out of the RaaS world, the new Five Families ransomware variant could be the next big thing in threat intelligence and cybersecurity.

Law Enforcement and Newton’s Third Law

Chris Anthony — a military veteran who spent most of his career with the Army Rangers, 10th Special Forces Group, and the Intelligence community — and is today the CEO of TeamWorx Security, spoke with Techopedia about action and reaction in cybersecurity.

“While law enforcement activity disrupts and delays the gangs’ operations, these gangs have ultimately reemerged. The vacuum exists in the affiliate programs, which are smaller groups that operate the ransomware on behalf of the larger gang.


“As a group is taken down, its affiliates are looking for a new Ransomware-as-a-Service group to join. Other ransomware gangs take advantage of this and seek to pull these affiliate groups into their network.”

Bui from Menlo also said that enforcement actions often have indirect effects.

“The response of law enforcement to `top tier’ ransomware gangs, while impactful, often serves as a learning curve rather than a deterrent for other criminal factions. The disruption often fails to create a significant power vacuum, instead providing a blueprint for remaining groups to refine their operations and solidify inter-gang relationships.”

Hyatt added: “More often, you will find unaffiliated groups targeting similar organizations, largely due to groups sharing tactics, techniques, and procedures for exploitation.

“Law enforcement action tends to have a ripple effect across criminal organizations. As groups are disrupted, they will disappear and rebrand. It can be compared to fighting the hydra – you cut off one head, another pops up.”

Hyatt assured that Blackpoint Cyber data shows that with ALPHV and Lockbit disrupted, groups like BlackBasta, Play, and Medusa have stepped up to fill the void.

New Ransomware Extortion Techniques To Fly Under the Radar

Ransomware attacks have long been a nightmare for businesses and individuals alike. But the game just got a whole lot more complex. Ransomware gangs are evolving their tactics, moving beyond simple encryption to a multi-layered extortion strategy. Hyatt from Blackpoint Cyber explained some new tactics.

“More and more, we see groups moving to a pure exfiltration and extortion tactic. Instead of encrypting the environment, groups will do a smash-and-grab – exploit a vulnerability, get into an environment, exfiltrate the data, and then ask for a ransom to prevent the distribution of the data.”

Using this extortion method, criminals have a higher chance of success, Hyatt said. “By focusing on just exfiltrating the data rather than encrypting it, the groups can run under the radar of security teams by not triggering traditional defense tools.

Bui agreed and said that new ransomware tactics fit the category of plain old blackmail that promises to become more threatening in the near future. 

“In terms of extortion tactics, the landscape is continually evolving, with some criminals increasingly leveraging stolen data for blackmail purposes, indicating a possible transition towards more nuanced forms of extortion.”

Anthony of TeamWorx Security added that the era of triple ransomware extortion has begun.

“Previously, ransomware gangs would encrypt data and offer it for sale on their leak sites. However, ransomware gangs found that companies would refuse to pay or revert to backups, denying the ransomware gangs their payment.

“Ransomware groups want to put more pressure on the companies to pay and have now begun to encrypt, sell, and launch another attack against the company on top of their initial data theft.”

The End of Ransomware

It came to us as no surprise that of all the experts we interviewed for this story, not one believed that a near-future world without ransomware is possible.

“Ransomware attacks are unlikely to abate anytime soon,” Caralli said. “A recent statement from the 50 members of the International Counter Ransomware Initiative confirms that the velocity of ransomware attacks continues to grow.

“Certainly, if organizations push back stridently with respect to paying (or being open to negotiating) ransoms, we might see some abatement, but this is unlikely to occur on a wide scale,” Caralli added.

“Companies that get hit with ransomware know that the costs associated with such an attack increase exponentially the longer they are in the news, so an essential part of a recovery strategy is to corral the damage as quickly as possible and get out of the headlines.”

Caralli added that ransomware techniques are easy to execute and are profitable for criminal groups.

“The ease of executing a ransomware attack combined with general unpreparedness to fend off such attacks contributes to the problem.”

Malik said that the end of ransomware does not seem imminent and called for organizations to level up social engineering security policies as this is the main gateway through which ransomware operators breach organizations over and over.

“Its eradication would require a multifaceted approach, including enhanced cybersecurity measures, international collaboration on law enforcement.”

Hyatt from Blackpoint Cyber also spoke about the government’s role in putting an end to the criminal trend.

“Until the federal government makes a concerted effort to partner with the security industry and make an investment in cybersecurity outside of lip service to stopping ransomware, we will continue to see it be a plague.

“Law enforcement takedowns of ransomware gangs are fantastic, and the folks doing them are doing great work, but these investigations take a long time to conduct and are just a drop in the bucket.”

Anthony, CEO of TeamWorx Security, jumped into the debate.

“Ransomware will end when there is no money to make in ransomware attacks and countries where the gangs are based stop enabling the groups. The proliferation of cyber insurance, which may include policies to pay ransoms, may increase the profitability and likelihood of launching ransomware attacks.”

The Bottom Line

While the world welcomes international law enforcement actions against cybercriminals, recent and historical events show that when one ransomware group is disrupted, even a big one, ransomware attacks do not stop.

Furthermore, experts believe law enforcement actions do affect the criminal underworld, with cybercriminals and ransomware gangs taking bold actions, making alliances, and running dangerous hacks to show off their capabilities.

The ransomware market has industrialized, ransomware services are on the rise, geopolitical tensions continue to spill into cyberspace, and ransomware gangs and their affiliates continue leveling the field using low-risk, high-reward tactics.

In this highly dynamic environment, there are still many powerful players in the criminal game to pick up the torch of the dismantled and lead, while others regroup and resurface with new aliases and new ransomware technologies.

The end of ransomware is nowhere in sight.


Related Reading

Related Terms

Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.