Now that law enforcement agencies are demonstrating an ability to take down the infrastructure that cybercriminal syndicates are using to launch attacks, it appears the never-ending battle to ensure cybersecurity is entering a new phase.
The Federal Bureau of Investigations (FBI) in the U.S., along with other international law enforcement agencies, have seized two dozen servers and nine domains belonging to a ransomware gang called Dispossessor, also known as Radar, that following the takedown of another Lockbit cybercriminal gang earlier this year had become more active since first emerging last year.
Dispossessor, in fact, has been credited with attacking at least 43 organizations around the globe before authorities took down three servers each in the United States and UK and 18 more in Germany. In addition, they seized eight U.S.-based criminal domains and another one in Germany.
The disruption of the Dispossessor operation is the seizure of infrastructure and domains that have become increasingly aggressive over the past year. Most notable among those efforts was the takedown of LockBit, but other groups such as Hive and BlackCat/ALPHV have been similarly disrupted.
Some of those cybercriminal gangs, however, have been able to re-establish operations while others shut down but were essentially replaced by yet another syndicate. Dispossessor, for example, rose to prominence after the takedown of LockBit. Previously, the group simply advertised the availability of data that had previously been leaked by ransomware groups like LockBit, Hunters International, Cl0p, and 8base.
The next issue law enforcement officials will encounter now is once cybercriminal syndicates fully appreciate the degree to which law enforcement agencies can disrupt their operations, they make sure they have access to additional infrastructure and domains available on a standby basis. The amount of time to reboot their operations will, as a result, continue to lessen. Theoretically, law enforcement officials might be able to identify that standby infrastructure before it is activated, but ensuring that all of it is disabled will be a significant challenge. Regardless of how much of that infrastructure is disabled, cybercriminal syndicates will continue to become more resilient by embracing many of the same best practices that modern IT teams use to ensure application availability.
None of that means an effort to disrupt the operations of cybercriminal syndicates shouldn’t be made, but the focus needs to remain on identifying and eventually arresting the perpetrators of these crimes. Disrupting IT infrastructure is roughly the digital equivalent of G-men from the 1920s raiding a warehouse full of illegal booze that is then poured down the sewers. If no one is arrested, the gangsters will simply move to another warehouse.
In the meantime, cybersecurity teams should not assume that takedowns of the infrastructure belonging to major cybercriminal gangs are anything more than a momentary reprieve. It’s clear there are plenty of malicious actors willing to fill any void that gets created. After all, the only real difference is the newer the syndicate the less organized they are likely to be compared to more established syndicates that have, for better or worse, evolved into professional services organizations that are easier to negotiate with.