Staying up to date and informed on threat-actor group behavior is one way both organizations and individuals can best navigate the continually changing security landscape.

Adam Darrah, Senior Director of Dark Ops, ZeroFox

March 26, 2024

4 Min Read
Hands type on a laptop keyboard in a dark room; code in green appears on screen
Source: Anthony Spratt via Alamy Stock Photo


Hacking is a phenomenon that has been around since at least the 1960s, initially as an exploration into computing more broadly, fueled by the insatiable curiosity of an eternally brilliant community of "hackers," and in large part, that remains true today. Unfortunately, the term "hacking" can conjure up scenes of a lonely individual in a hoodie behind a keyboard, bullying and stealing from victims with ease from the safety of a poorly lit basement room. Although this trope is an exaggeration, there are those within the hacking community who have joined forces to use their powers for evil, forming digital cartels of all sorts, with their own codes of conduct.

Recently, we've observed a shift in attitudes around unwritten rules that have dictated behavior within certain criminal cyber rings in regard to attacking both individuals and organizations. What once rang true as an agreed-upon code of ethics that threat actors lived by is now being renegotiated. 

The Original Hackers' Code of Ethics

As cybercrime has advanced, there historically has been a respected cadre of early hackers who believed in having some guardrails in place as to who is an authorized target of fraud or hacking. This group is now contending and negotiating with a new generation of hackers who believe in profit above all else, regardless of threats to innocent life or geopolitical implications. 

Targets such as hospitals, where the potential loss of human life was very real, were off limits. Additionally, critical infrastructure was avoided altogether, because such attacks against a country's infrastructure are considered an act of war, which is not something criminal hackers are interested in provoking. The Colonial Pipeline attack walked a very fine line in this regard because, technically, the hackers did not disrupt pipeline deliveries. But it still was a very big wake-up call to governments, defenders, and researchers as attacks such as these continue to persist on a global scale. 

At first, hackers also generally agreed to target an individual or business only once. Cybercriminals would only target a specific vulnerability one time before moving on, very rarely continuing to use the same opportunity. Now though, it's quite common for us to see double, triple, or even quadruple exploitation — and this rule will likely remain broken for the foreseeable future

This evolution of hacking ethics has been brought on by a number of factors, including global tensions, the increasing transformation of technology giving attackers even more tools, and the security gaps that new technologies have created — offering threat actors an easy road to exploitation. The biggest change, though, is actually with ransomware groups themselves. 

New Group Dynamics

Ransomware groups have never taken on a one-size-fits-all-all approach. The methods of attack, victimology, and even how they take credit for attacks, historically have been different across the board. Interestingly though, with new online platforms that allow for this bad actor community engagement, it has never been easier to enter the hacking community. In fact, now you don't even have to be an expert in computers to be successful. 

As information and tools have become more readily available, it's not only easier to get started but there are more, younger individuals getting involved in hacking activity. Some of the major groups that are making headlines — like Scattered Spider, which has been credited with successfully disrupting major brands like Caesars Entertainment — are believed to be predominantly made up of teenagers. 

Not only are hackers getting younger, they are also more competitive. In recent cases, there is a greater motivation to be credited with attacks on major brands. This is shown by the major corporations publicly highlighted on victim pages from notable ransomware groups. This has led to a new phenomenon where the most renowned groups are even doing their own PR for their efforts, leveraging the media to disseminate information about either the victims or the group itself. This creates an added sense of urgency for the victim to either pay the ransom or face the consequences of having sensitive information made public.

This new competitive approach to ransomware groups has led to more notoriety for their respective gangs — but it's also led to the demise of some of the most prolific groups. One of the most recent examples of this is the FBI's takedown of major ransomware gang ALPHV, also known as BlackCat. There has been chatter online that a member of a rival group may have passed information to law enforcement to contribute to the takedown, which ultimately would help take the heat off of their own affiliated group. 

Ransomware has been and will continue to be a threat to businesses for years to come, but the behavioral changes with regard to their ethics and operations have led to more challenges in defending against and disrupting these groups. One thing is to be expected: Always expect the unexpected. Between targeted attacks on hospitals and other areas of critical infrastructure, now more than ever, organizations should be aware of these shifting dynamics through a comprehensive, full-spectrum threat intelligence program. Staying up to date and informed on threat actor group behavior and activity is one way both organizations and individuals can best navigate this continually changing security landscape, better deter attacks, and remain vigilant in the face of hackers.

About the Author(s)

Adam Darrah

Senior Director of Dark Ops, ZeroFox

Adam Darrah is an experienced intelligence analyst, skilled in putting international affairs into cultural and political context. Adam spent eight years working for the US government, coordinating across several federal agencies to fill critical knowledge gaps on national security priorities, which helped form his specialization in Central Eurasian political, security, and intelligence issues.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights