TL;DR: Multiple ransomware groups, including Scattered Spider and ShinyHunters, are publicly claiming retirement after a year of high-profile attacks, but security researchers say the pattern more likely reflects disruption, arrests, and brand churn than a true exit from criminal operations, according to Swarmnetics. The practical lesson is that defenders should treat “retirement” as a temporary signal, not a control failure that changes the underlying identity and social-engineering threat model.
NHIMG editorial — based on content published by Swarmnetics: Over a Dozen Ransomware Groups “Call it Quits,” But Don’t Let Your Guard Down
Questions worth separating out
Q: What breaks when ransomware groups change names but keep the same tactics?
A: The main failure is assuming the brand name is the threat.
Q: Why do ransomware crews still rely on identity compromise instead of only malware?
A: Identity compromise is faster, quieter, and often more reliable than malware delivery alone.
Q: How do organisations know whether a ransomware lull is real or just dormancy?
A: Look at the underlying access patterns, not the public statements.
Practitioner guidance
- Harden account recovery paths Require strong verification, out-of-band approval, and fraud-resistant checks for password resets, MFA resets, and support escalations so attackers cannot turn helpdesk trust into access.
- Reduce standing privilege in identity recovery workflows Separate normal support roles from elevated recovery permissions, and ensure privileged actions are time-bound, logged, and independently approved.
- Inventory service accounts and tokens tied to business-critical systems Map owners, scopes, and revocation paths for API keys, service accounts, and automation tokens so a human compromise does not become a machine-scale compromise.
What's in the full analysis
Swarmnetics's full analysis covers the operational detail this post intentionally leaves for the source:
- The list of named groups and the public channels they used to frame their retirement claims.
- The article's timeline of arrests, dormancy signals, and likely rebranding behaviour.
- The specific context behind the Scattered Spider and ShinyHunters pressure points mentioned in the source.
- The original commentary on why these groups' known social-engineering tactics may persist after the announcement.
👉 Read Swarmnetics's analysis of ransomware group retirements and likely dormancy →
Ransomware retirements: are threat groups really going away?
Explore further
Brand retirement is usually a governance signal, not a threat signal. When ransomware crews disappear from public channels, the operational risk rarely disappears with them. The more likely outcome is dormancy, rebranding, or fragmentation under pressure, which means defenders must keep measuring the access paths, not the headlines. For practitioners, the relevant question is whether identity controls still block the tactics that made the group effective.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when compromised credentials are used to trigger ransomware?
A: Accountability usually spans identity, infrastructure, and security operations because the failure chain includes authentication design, network trust boundaries, and detection gaps. Frameworks such as NIST CSF and Zero Trust Architecture place responsibility on governance that limits blast radius, not only on the team that owns the portal.
👉 Read our full editorial: Ransomware group retirements may signal dormancy, not disappearance