The Colonial Pipeline ransomware attack of 2021 put infrastructure operators on notice that they were directly in the crosshairs of big ransomware gangs. The reaction of law enforcement seems, however, to have also put the gangs on notice that their ability to operate with impunity isn’t what it used to be. The big criminal operations seem to be breaking up. That’s not because they’ve gone straight. It’s because they’ve realized that they’re more vulnerable than they used to be.

The gang that hit Colonial Pipeline, DarkSide, disrupted the pipeline’s operation, but the FBI was able to claw back most of the ransom Colonial paid and also in turn to disrupt DarkSide’s own operations. In June of 2021, citing the pressure it was under from US law enforcement, the DarkSide group announced that it was closing down its operation.

Another high-profile ransomware gang, Conti, drew a great deal of hostile attention to itself when it announced, in February of this year, that it was firmly in Moscow’s corner with respect to Russia’s war against Ukraine. That didn’t sit well with some of the gang’s sometime collaborators whose sympathies lay with Ukraine, and critics doxed the gang’s internal chatter. The embarrassment (and the risk) were severe enough that Conti, after a last hurrah committed against Costa Rican government networks and resources in May 2022, seems to have begun winding up its operations by the third week of that month. There was more heat than a large criminal gang could withstand.

But the former members and affiliates of big ransomware gangs are evidently deciding that they can strike out on their own, without the specious coverage of a big umbrella group. Recorded Future’s Allan Liska explained to Tech Monitor why this is so. “They know the operations in and out,” he said. “They know how to do the negotiations. They know how to make code adjustments and all that other stuff. So, they’re fine without a big umbrella group to support them.”

And the new splinter gangs think they have an advantage, and that advantage is social engineering. Yelisey Boguslavskiy, of Advanced Intelligence told Tech Monitor, “As one of the actors said during internal communications, ’We can’t win the war on the technology side because we’re competing with companies that have budgets of tens of billions of dollars. We can never win that, but we can win the social side of things.’”

The social side of things is the speciality of new-school security awareness training. Social engineering will be the focus of the new ransomware gangs, and that new-school training can help make them more resistant to their ministrations.