Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Ransomware retirements: are threat groups really going away?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Multiple ransomware groups, including Scattered Spider and ShinyHunters, are publicly claiming retirement after a year of high-profile attacks, but security researchers say the pattern more likely reflects disruption, arrests, and brand churn than a true exit from criminal operations, according to Swarmnetics. The practical lesson is that defenders should treat “retirement” as a temporary signal, not a control failure that changes the underlying identity and social-engineering threat model.

NHIMG editorial — based on content published by Swarmnetics: Over a Dozen Ransomware Groups “Call it Quits,” But Don’t Let Your Guard Down

Questions worth separating out

Q: What breaks when ransomware groups change names but keep the same tactics?

A: The main failure is assuming the brand name is the threat.

Q: Why do ransomware crews still rely on identity compromise instead of only malware?

A: Identity compromise is faster, quieter, and often more reliable than malware delivery alone.

Q: How do organisations know whether a ransomware lull is real or just dormancy?

A: Look at the underlying access patterns, not the public statements.

Practitioner guidance

  • Harden account recovery paths Require strong verification, out-of-band approval, and fraud-resistant checks for password resets, MFA resets, and support escalations so attackers cannot turn helpdesk trust into access.
  • Reduce standing privilege in identity recovery workflows Separate normal support roles from elevated recovery permissions, and ensure privileged actions are time-bound, logged, and independently approved.
  • Inventory service accounts and tokens tied to business-critical systems Map owners, scopes, and revocation paths for API keys, service accounts, and automation tokens so a human compromise does not become a machine-scale compromise.

What's in the full analysis

Swarmnetics's full analysis covers the operational detail this post intentionally leaves for the source:

  • The list of named groups and the public channels they used to frame their retirement claims.
  • The article's timeline of arrests, dormancy signals, and likely rebranding behaviour.
  • The specific context behind the Scattered Spider and ShinyHunters pressure points mentioned in the source.
  • The original commentary on why these groups' known social-engineering tactics may persist after the announcement.

👉 Read Swarmnetics's analysis of ransomware group retirements and likely dormancy →

Ransomware retirements: are threat groups really going away?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Brand retirement is usually a governance signal, not a threat signal. When ransomware crews disappear from public channels, the operational risk rarely disappears with them. The more likely outcome is dormancy, rebranding, or fragmentation under pressure, which means defenders must keep measuring the access paths, not the headlines. For practitioners, the relevant question is whether identity controls still block the tactics that made the group effective.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when compromised credentials are used to trigger ransomware?

A: Accountability usually spans identity, infrastructure, and security operations because the failure chain includes authentication design, network trust boundaries, and detection gaps. Frameworks such as NIST CSF and Zero Trust Architecture place responsibility on governance that limits blast radius, not only on the team that owns the portal.

👉 Read our full editorial: Ransomware group retirements may signal dormancy, not disappearance



   
ReplyQuote
Share: