Two of the most notorious ransomware gangs in the world are imploding, leaving high-profile victims in their wake and creating chaos in the cybercriminal underworld.

In the last several years, the BlackCat and LockBit groups have thrived by embracing a ransomware-as-a-service model, leasing their malware to affiliate hackers to target thousands of victims and reap millions in extortion payments. The future of both groups is uncertain after US and authorities elsewhere seized LockBit and BlackCat websites, arrested alleged hackers and taunted the leader of one gang.

In one recent example, the LockBit gang bluffed in a threat to publish details about former president Donald Trump, according to security experts. Meanwhile a BlackCat administrator claimed online that the group is shutting down amid a reported payment dispute.

"It’s really a pressure-cooker situation, driving them to operate in more erratic and unpredictable ways,” said Wendi Whitmore, senior vice president and head of the Unit 42 threat intelligence group at Palo Alto Networks Inc.

"Attackers are feeling the heat, pressured by disruptions in their infrastructure, new regulations that require victim organisations to adapt their security efforts, and enhanced security detection capabilities,” she said.

Few are ready to declare victory. Ransomware hackers – many of whom are based in Russia or other countries outside of the reach of US law enforcement – often move to a different cybercriminal group or start a new one.

"It’s not going to go away,” said George Kurtz, chief executive officer of the cybersecurity firm Crowdstrike Holdings Inc, in an interview with Bloomberg News. "They’re just going to re-constitute.”

Still, the weakening of two gangs that have caused so much disruption marks a significant milestone in efforts by the US and its allies to thwart cybercriminals, experts say.

"In the past groups were able to operate with almost complete impunity. That is no longer the case,” said Brett Callow, a threat analyst at the cybersecurity firm Emsisoft.

The BlackCat gang has been tied to attacks on a German fuel depot, a UK hospital group, MGM Resorts International, and, most recently, Change Healthcare, a subsidiary of insurance giant UnitedHealth Group Inc.

In December, the US authorities seized websites belonging to BlackCat and provided a decryption tool to help victims restore their computer networks. Those types of seizures can be particularly damaging to gangs that lease out their malware, since affiliates may fear that law enforcement has infiltrated them, according to Jon DiMaggio, chief security strategist at Analyst1. After the takedown, a BlackCat administrator urged affiliates to target hospitals.

The group’s hack of Change Healthcare was discovered on Feb 21 and has caused major disruptions in the US healthcare system, problems that threaten to get worse the longer Change’s system remains down. UnitedHealth said on March 7 that some parts of the network that handle payments and medical claims will come back online in mid-March, while electronic prescribing services are now restored.

It’s not known if a ransom was paid. However, US$22mil was deposited in a cryptocurrency wallet associated with BlackCat, according to a person familiar with the matter. The deposit was previously reported by Wired.

UnitedHealth hasn’t commented on whether it paid a ransom. A BlackCat affiliate complained that he wasn’t paid his share of the Change Healthcare ransom, and a representative of the group said it was shutting down, according to the cybersecurity blog KrebsonSecurity.

LockBit has been active since at least the start of 2020 and has targeted more than 2,000 victims, according to the US Justice Department. Its past victims include Industrial & Commercial Bank of China Ltd, ION Trading UK, the UK Royal Mail and Boeing Co.

Instead of ceasing operations, LockBit has tried to resume its criminal ways. It continued with threats from a hack on Fulton County, Georgia, that had occurred before the law enforcement action. That attack, discovered in January, caused widespread phone outages and residents being unable to pay utility bills. The sheriff’s office had to rely on paper forms to process people in and out of jail and voter registration was temporarily shuttered.

In a statement Tuesday, the county said it “continues to experience an unexpected IT outage affecting multiple systems”.

Fulton County District Attorney Fani Willis said the case against Trump was unaffected by the breach. "All material related to the election case is kept in a separate, highly secure system that was not hacked and is designed to make any unauthorized access extremely difficult if not impossible,” she told the Associated Press in a January statement. Representatives for Willis’ office did not respond to inquiries from Bloomberg about the hack.

LockBit threatened to publish sensitive information it stole from the county online, including information about Trump. But a deadline came and went without any such disclosure. County officials have denied paying a ransom and said they’re continuing to work with the FBI and conduct their own investigation.

"It does show that they’re less powerful because they had to have such an incredible bluff in order to try and get the money out of them,” said Allan Liska, a threat intelligence analyst at the cybersecurity firm Recorded Future Inc.

Like other gangs that have been disrupted by law enforcement, LockBit will have to convince affiliates they can be trusted to fully resume operations.

"I mean, they’ve been the longest running ransomware strain we’ve been tracking,” said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis Inc. "I don’t know that they’ll want to give it up so easily.” – Bloomberg