The 18-Month Ransomware Rebrand: Why You're Tracking Logos, Not Adversaries

Threat Intelligence

Ransomware brands die and reincarnate on a predictable cycle, but the affiliates and tradecraft persist. Defenders who track behaviors instead of logos catch the same crews twice.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 2, 2024 · 7 min read

A logistics client called us in a panic last quarter. Their threat intel vendor flagged a new ransomware group, RansomHub, hitting their sector. Could we assess exposure? We pulled the IOCs and within an hour told them this was largely the same affiliate pool that had been operating under ALPHV/BlackCat before the May 2024 exit scam. Same negotiation patterns, same initial access tradecraft, same Cobalt Strike profiles. The brand was new. The crew was not.

The ransomware ecosystem has settled into a 18 to 24 month rebrand cycle. Conti shut down operations in mid-2022 and split into Black Basta, Royal, BlackByte, Karakurt, and at least three smaller spinoffs. LockBit operated from 2019 through 2024 disruption, then bled affiliates into RansomHub, DragonForce, and resurrected variants. ALPHV/BlackCat ran from late 2021 to early 2024. The brands rotate. The TTPs barely move.

Why brands die and crews don't

Three things kill a ransomware brand: law enforcement action (LockBit, Hive), affiliate trust collapse after an exit scam (ALPHV pocketing the Change Healthcare ransom), or operator burnout from sustained pressure. None of those events kill the affiliates underneath. Affiliates are independent contractors. They keep their tooling, their access broker relationships, their negotiator playbooks, their crypter subscriptions. They just sign up with a new program and keep working.

We mapped affiliate IDs across leak posts for one APAC bank engagement. Of 47 distinct affiliate handles seen across LockBit, BlackCat, and RansomHub leak sites between 2022 and 2025, 31 appeared on at least two of those programs. Eleven appeared on all three. The Venn diagram is closer to a single circle.

What persists across rebrands

• Initial access vectors: same Initial Access Brokers, same VPN/RDP/Citrix exposure patterns, same phishing kits.
• Lateral movement: PsExec, WMI, Impacket, AnyDesk persistence, the same Atera/Splashtop RMM abuse.
• Exfiltration tooling: Rclone configs, Mega.io, custom .NET exfiltrators that survive multiple brands.
• Negotiation language: identical chat templates and discount logic appear across rebrands run by the same operators.
• Crypter and loader infrastructure: SocGholish, GootLoader, BatLoader pipelines feed whatever brand pays best this quarter.

Tracking behavior instead of brand

If your threat intel program is organized around named groups ("are we exposed to LockBit?"), you are going to be permanently behind. The brand rotates faster than your detection content can be updated. Worse, a brand-centric view treats post-rebrand activity as a new threat that needs new analysis when it is the same crew you already studied.

We push clients toward a tradecraft-indexed model. You catalog what the crews actually do: the precursors (Qakbot/IcedID/PikaBot loaders), the access methods (Kerberoasting, ADCS abuse, ESXi credential theft), the tooling (Cobalt Strike beacon configs, Sliver, Brute Ratel C4), and the staging patterns. Then you map brand-of-the-month onto that catalog as a label, not a primary key.

What this means for executive briefings

Executives want to know which groups target their sector. The honest answer is that the question is malformed. The relevant population is roughly 200 to 400 active affiliates worldwide, distributed across 15 to 25 active brands at any given moment, with constant churn between them. A briefing that says "Akira and Play are most active against manufacturing" is true this quarter and partially false next quarter.

We rewrite those briefings to focus on the access vectors and tradecraft most likely to hit the client, with named groups appearing as recent examples rather than the unit of analysis. Boards respond better to this once the framing is explained, because it tells them what to fix instead of who to fear.

The next big brand collapse is already on the calendar. Whichever crew loses its leak site or burns its reputation, the affiliates will be operating again within 60 days under a different banner. If your defenses are tuned to behavior, you will not need to re-onboard them.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.