In a post on Breachforums, at least 15 ransomware gangs have announced retirement. The statement reads, “We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark.”

This move has piqued the interest of many in the cybersecurity field, especially in the case of Scattered Spider. Scattered Spider has been involved in several breaches that made headlines, particularly in the retail sector earlier this summer, in which they claimed responsibility for attacks on Victoria’s Secret, Harrods and more. The group switched targets to the insurance sector as well as the transportation and airlines industry later in the summer. 

After involvement in many major breaches, Scattered Spider joining a collection of other allegedly retiring ransomware groups may seem strange — but many cyber experts believe this is not a true retirement announcement at all. 

Are 15 Ransomware Groups Retiring? It’s Unlikely, Experts Say

Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, explains, “When ransomware groups like Scattered Spider or Lapsus$ announce they’re ‘going dark,’ it should be taken with a massive grain of salt. It’s like a shoplifter saying they promise they won’t shoplift anymore. It could happen, but it’s very unlikely. These groups rarely just disappear; more often they rebrand, tweak their internal structure, or shift their tactics and techniques. At the end of the day, walking away from a business model that generates millions, even if it’s illegal, isn’t something most of them are likely to do.”

Dave Tyson, Partner - Intelligence Operations at iCOUNTER, adds, “It’s never retirement, it’s simply part of the normal lifecycle of criminality. Groups come together for specific purposes, form into units to execute their plans, and exit the definable identity to lower the focus on that collective or unit. Eventually, we will see them re-appear sometime later in different units. While it’s fair to say there is always law enforcement pressure for them to be concerned about, it is more likely what I call ‘Brand Shedding.’”

False Retirements Aren’t New Among Cybercriminals

If Scattered Spider and the other groups are ‘Brand Shedding’ as Tyson believes they are, then it is likely organizations will eventually see them re-emerge under a new name. According to cyber experts, this is not an unprecedented occurrence. James Maude, Field CTO at BeyondTrust, describes the history ransomware groups have with false retirements. 

“Cybercrime groups have bit of a history when it comes to retiring that is often no more than the equivalent of lying low while the heat is on,” Maude states. “Back in 2019, the GandCrab crew announced they were retiring after earning more than $2 billion; they had cashed out and quit the business. A few months later, REvil ransomware appeared bearing all the hallmarks of the GandCrab crew leading many to the conclusion that they had actually rebranded rather than retired. With these groups in particular, they are not organized in the same way as previous threat actors and are a far more loosely connected group of individuals that would be far more likely to disband and reform in new groups than actually retire.”

Since it is unlikely that these groups are truly retiring, why did they make this announcement? 

Maude shares his thoughts, saying, “Law enforcement and the industry have put a name on the groups and linked their Tactics, Techniques and Procedures (TTPs) across multiple incidents and industries, meaning they have become a major target that institutions can co-ordinate efforts around hunting. By announcing a retirement, they are likely attempting to throw some of that focus off and establish new groups in an attempt to confuse and distract from ongoing investigations. It also provides some plausible deniability and distance from previous major incidents in the event they are caught — meaning they would be at less risk of being linked to previous incidents as that group had retired. As with all businesses, criminal or otherwise, if your brand becomes toxic you look for creative ways to rebrand and relaunch with as much distance as possible.”

Even if these groups are retiring as they claim, organizations shouldn’t take it as a sign to be lax about cyber defenses. The loss of a handful of groups doesn’t mean the space won’t be filled by another malicious actor in the future — possibly even one that mimics the groups who have left. 

Ms. Nivedita Murthy, Senior Staff Consultant at Black Duck, warns, “Organizations should take these announcements with a pinch of salt. It could be possible that some of these groups may have decided to step back and enjoy their payday; it does not stop from copycat groups from rising up and taking their place.”

This Alleged Retirement Could Be a Sign of New Threats to Come

While the ransomware groups have stated that “silence will now be [their] strength,” experts believe it is likely that they will return in some form. Similarly, others acknowledge that this retirement announcement may be a signal that the threat actors are shifting their activities. 

Casey Ellis, Founder at Bugcrowd, explains, “It’s safest to consider this announcement as more of a PR stunt than a genuine farewell. Historically, cybercriminals rarely retire in the traditional sense. Instead, they rebrand, regroup or pivot to new tactics and operations... or they get caught. The statement about silence being their strength could signal a shift in strategy — perhaps moving toward quieter, more targeted attacks or selling their expertise to other groups. It’s possible that some members will transition into other forms of cybercrime, like hacking-for-hire or fraud.

“In terms of motivations, law enforcement pressure and international collaboration against these groups has increased markedly over the last twelve months. Competition is also a factor. As more groups emerge, the market becomes saturated, and the profitability of ransomware campaigns may diminish. This could push established groups to exit while they’re ahead, or at least signal that they are doing so to try and reduce pressure from law enforcement.

“In general, it’s an interesting signal from the group, but not a reason to relax. We should interpret this announcement with skepticism. It’s unlikely these actors will simply disappear. Instead, we should expect them to evolve, leveraging their accumulated wealth, experience, and credentials/access/data to innovate or support other malicious activities. For defenders, this means staying vigilant and focusing on resilience. The ransomware business model is an arms race, and while some groups may fade, the threat itself isn’t going anywhere. Organizations must continue to prioritize proactive defenses, threat intelligence, and collaboration with law enforcement to stay ahead.”

No matter the intention behind this announcement, organizations are encouraged to remain alert.