Fifteen Ransomware Gangs “Retire,” Future Unclear

September 17, 2025

Scattered Spider, one of the most notorious ransomware groups of the present era, surprised the cybercrime community this week with the announcement that it was shutting down its operations. In an open letter posted on the Breachforums dark web marketplace, a collective set of 15 threat actors, including Scattered Spider, IntelBroker, Lapsus, Pertinax, and Clown, announced they would be retiring from active threats. The letter mentioned multiple arrests that have occurred in the last two years, including eight people who have been arrested in relation to Scattered Spider or ShinyHunters activities, as well as four who are currently in custody in France. The letter went on to say that the groups would not help any of these individuals establish their innocence, directly or indirectly, which may give an indication to the group’s actual motives.

Cyberthreat groups announcing their retirement is not uncommon and usually should betaken with a grain of salt. “It’s safest to consider this announcement as more of a PR stunt than a genuine farewell,” said Casey Ellis, founder at Bugcrowd,“Historically, cybercriminals rarely retire in the traditional sense. Instead, they rebrand, regroup or pivot to new tactics and operations, or they get caught.” A recent example of this activity comes in the form of the Hunters International threat group. In the last few months, the ransomware group suddenly announced it was ceasing its operations, only to shortly afterward rebrand itself as the extortion group World Leaks. Lapsus itself performed a similar retirement in 2022, only for its affiliates to reappear and adopt the name.

Even if the announcement is genuine, which is doubtful, it is unlikely that this will lead to a major cessation of cybercrime operations from Scattered Spider or any of the other groups mentioned in the letter. Individuals within the Scattered Spider collective are likely to form new associations, separated from the legal heat attached to the Scattered Spider name, and engage in new threat operations of their own. While the letter claims that members will “enjoy our golden parachutes with the millions the group accumulated,” the truth is that the threat is likely to continue. Even now, a fresh round of cyberattacks against financial service companies is currently being attributed to Scattered Spider, meaning that the fight against them is still ongoing.

More from Blackwired

September 10, 2025

Stealthy attack serves poisoned web pages only to AI agents

New AI browser attack targets agents via hidden prompts, exploiting unique agent fingerprints to deliver invisible malicious code.

Read more
September 3, 2025

First AI-Powered Ransomware Created Using OpenAI's gpt-oss:20b Model

PromptLock is an AI-powered ransomware PoC using LLMs to generate dynamic, hard-to-detect, cross-platform attacks.

Read more
August 27, 2025

Chinese Hackers Silk Typhoon Escalate Cloud and Telecom Espionage

Silk Typhoon targets cloud via zero-days, supply chains, and trusted ties; monitor edge, patch fast to detect and defend.

Read more

© 2024 Blackwired. All Rights Reserved.