Over a Dozen Ransomware Groups “Call it Quits,” But Don’t Let Your Guard Down

Right in the midst of their 2025 reign of terror, the newly-united Scattered Spider and ShinyHunters ransomware groups are calling it quits. They have been joined in their retirement announcement by about a dozen other groups, including Lapsus$ and BreachForums operator InfoBroker.

As one might initially suspect, numerous security researchers believe this is likely a dissolution of the brand names under law enforcement pressure rather than a true end to the criminal careers. But the ransomware groups will likely be going dormant for some period of time, albeit without any assistance offered to victims who are still grappling with their attacks.

Ransomware group “retirements” likely a smokescreen

The announcements do appear to be coming from the actual ransomware groups; they made use of both BreachForums and Telegram accounts they are known to hold. The question is the sincerity. It is extremely unusual for a mass amount of groups to join hands and announce retirement together, and coincidentally it happens to be when the biggest patrons (Scattered Spider and ShinyHunters) have found themselves at the center of global attention after another reckless string of cyber attacks.

Aside from those mentioned already, the full list is a collection of smaller ransomware groups thought to have been associating with the larger groups on attacks since at least August: Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Yukari, and Clown. ShinyHunters and Scattered Spider have both seen new arrests of members since the year began, including two very new ones just announced in the UK (in connection with a 2024 attack).

So this once again appears to be the case of the most active ransomware groups becoming Public Enemy #1 and subsequently breaking up under the pressure. The next step is usually some weeks to months of dormancy, followed by coming back under new brand names or having associated with other groups. The hackers say this time is different and they are sailing off on their golden parachutes with their millions of stolen dollars, but it’s very rare for these types to stay away for long.

Stay on high awareness for known tactics

Just a few weeks ago, the three biggest ransomware groups involved in this did not appear to be contemplating retirement at all. They were in fact joking it up on a new shared Telegram channel, talking about forming a new “superteam” and launching a new joint ransomware-as-a-service platform.

Something about law enforcement attention likely changed that. The two main groups are known to have key members in Europe, the US and Latin America, very unusual for leading ransomware groups (which are usually based in Russia where they enjoy some level of immunity so long as they stay there). That has helped them greatly with portions of their operations such as social engineering, but also means they face heavy consequences when caught.

However, organizations should expect that their known tactics will continue to be a threat for the foreseeable future.