Combatting hackers: the Hydra effect

At one point, as part of his Twelve Labours, the ancient Greek hero Hercules fought the Hydra, a serpent that grew two new heads each time one was severed. Today, cyber-security teams know that cutting off the head of a ransomware group often results in the rapid emergence of rebranded or copycat operations.

 

Going after bad actors can sometimes feel like an endless task. Recent takedowns of groups such as BlackSuit were celebrated as victories, but within weeks, affiliates had splintered off and resurfaced under new banners, continuing to extort victims with little interruption.

 

So why is it that takedowns don’t stick? And what can security leaders in the UK actually do to make an impact?

 

The resilience of RaaS

Today’s cyber-crime ecosystem - commoditised, decentralised, nebulous, and fantastically profitable - is structured for survival. When a bad actor group is caught, and their  infrastructure is dismantled, that same group can simply fire up another instance elsewhere, or launch a new RaaS ransomware ‘brand’ with minimal disruption.

 

Organisations have beaten the “resilience” drum for years. Enterprises, and governments work tirelessly to build in security, redundancy and recovery strategies. It should come as no surprise that criminals apply the same logic. For them, ironically, agility and resilience is also a sound business model…

 

Consider the 2017 takedown of the Genesis Market, a cyber-crime-faciliation website. Within days displaced actors had migrated to Russian forums and competing marketplaces and restarted the service. The infrastructure may have been temporarily disrupted, but the demand for stolen credentials and initial access didn’t vanish. Cross-border infrastructure and anonymity tools make it easier to rebuild faster than law enforcement can prosecute an international case.

 

That resilience is exactly why traditional takedowns rarely deliver the knockout blow we might hope for.

 

Busts don’t break the cycle

Ransomware operations today are modular. They’re made up of developers, affiliates, access brokers, hosting providers, money launderers, and forum moderators working in a remote and dispersed fashion. When one element is disrupted, the others quickly adjust, keeping the overall machine running.

 

Infrastructure takedowns are an essential law enforcement tactic, but they often only hit a single link in a vast chain. As soon as a server or domain is seized, affiliates can re-emerge under new “brands,” often recycling old ransomware strains under fresh names and armed with the same playbooks, tools, and contacts.

 

The Hydra effect plays out in predictable ways. Cut away one piece of infrastructure and another takes its place. The underlying criminal ecosystem continues to function.

 

From the defender’s perspective, it can feel like running endlessly on a treadmill, celebrating temporary wins but rarely reducing the overall threat. So the question is, how can takedowns be rendered more effective?

 

Targeting hacker groups more effectively

To break out of the cycle, we need to move beyond a group-by-group strategy and focus on dismantling the ecosystem that sustains them. That means shifting attention to three critical pressure points.

 

1. Target the support network. Access brokers, leak sites, and forums are the connective tissue of the ransomware economy. Without stolen credentials and a marketplace to trade them, affiliates are slowed down. Starving attackers of these resources will disrupt multiple groups at once.

 

2. Follow the money. Ransomware remains profitable because money flows freely through laundering services, mixers, and loosely regulated exchanges. Tracking and freezing the money and cryptocurrency disrupts the economic incentives that keep RaaS thriving. While technically challenging, following the money attacks the very reason ransomware exists.

 

3. Double down on collaboration. No single enterprise or even government can fight this alone. Public–private partnerships remain one of the most effective tools we have. Shared intelligence and rapid takedown coordination magnify the impact and will ensure defenders are hitting multiple heads at once, not just swinging blindly.

 

A way forward

Ransomware isn’t going away, and takedowns alone won’t solve the problem. The Hydra effect ensures that every small victory risks spawning new challenges. But by coordinating international efforts, targeting the ecosystem, following the money, and strengthening collaboration, we can make it harder and less profitable for ransomware operators to thrive.

 

This kind of approach will probably always be a game of whack-a-mole, without a killing strike. Ultimately, I believe that even this should only be part of the overall approach, and will do no more than slow criminal gangs down.

 

For enterprises, the role is twofold. First, continue strengthening your own defences through solid cyber-security practices, policies, training and technology. Second, actively support and participate in public–private partnerships by sharing intelligence and collaborating with industry peers. That way, we can all help chip away at the foundation of the criminal economy itself. 

 

---

 

Mick Baccio is Global Security Advisor, SURGe by Cisco Foundation AI

 

 

Main image courtesy of iStockPhoto.com and Aryo Hadi