Chris Swagler | November 9th, 2021

Ransomware trends

Threat actors will continue to utilize ransomware as their weapon of choice for threatening companies of all sizes in pursuit of financial gain. However, the ransomware threat landscape is evolving in a variety of ways, including the influx of new organizations, big-name groups occasionally disappearing, groups running complex ransomware-as-a-service (RaaS) operations, and hiring people who specialize in network penetration, negotiations, and malware development. Most organizations have an insufficient budget and lack staff members to target high-profile companies, so they operate outside their boundaries. Additionally, most organizations face operational challenges including running their own data-leak websites. Here are 7 ways ransomware operators are continuing to evolve.

  1. Groups Rise and Fall

Security companies continue to notice churns in the ransomware-attacker space, including an increase of new organizations. Several groups including Avaddon, Noname, Prometheus, and REvil (or Sodinokibi) disappeared in Q3. Groups like REvil reappeared, before disappearing again because of law enforcement disrupting their operations. There have been new groups appearing including CryptBD, Grief, Hive, Karma, Thanos, and Vice Society according to security researchers

  1. Groups Rebranding Themselves

Some supposedly new operations that emerge are sometimes existing organizations reorganizing under a new name. According to a cyberthreat intelligence analyst, the SynAck ransomware group that hosted the “File Leak” data leak website rebranded itself as “El_Cometa”. The Grief ransomware likely rebranded itself as the “Grief: ransomware” and Karama ransomware is the rebranded “Nety” ransomware group.

  1. Groups Spread Attacks

According to researchers, numerous players appearing in Q3 are more involved in a larger volume of attacks. In their incident response engagement report, only Vice Society and REvil engaged in more than one attack, which highlights a larger democratization of ransomware variants appearing. Based on thousands of cases in Q3, security researchers are convinced that the Conti ransomware group is Ryuk’s successor, which would explain the decrease in Ryuk activity.

  1. Ransomware Operators Focus More on Smaller Payments

There are numerous ransomware groups remaining active. According to an Israeli threat intelligence company, 11 groups including Avos Locker, BlackByte, BlackMatter, Clop, Conti, Grief, LockBit, Marketo, Midas, Pysa, and Xing have listed victims on their data leak websites. Businesses, government agencies, or other organizations paid on average $140,000 in ransom during Q3. After the Biden administration began cracking down on ransomware this past summer, attackers focused more on smaller and midsize victims resulting in a 50% increase in median payments. Not all RaaS operations are looking for a six-figure plus ransom payment. There are multiple smaller actors that don’t have access to the latest ransomware samples or the ability to be affiliated with other ransomware groups.

  1. Leaking Malware Feed to Smaller Players

There are other ways that smaller operations can be innovative, such as leaking secret information. In June a leak of the Babuk ransomware’s builders was used by some to develop their own, more advanced crypto-locking malware. There have been other cases where attackers, with previous connections to a .NET ransomware called Delta Plus, modified the Babuk ransom note by inserting Bitcoin wallet addresses they controlled for victims to pay a ransom. Threat actors began demanding ransoms worth thousands of dollars using the modified malware.

  1. Challenges of Leaking Stolen Data

Stealing and threatening to publish victims’ data is a widely known strategic tactic used by many ransomware groups; however, it is not foolproof. If an attacker didn’t steal sensitive information, a victim may opt not to pay the ransom. Additionally, many ransomware groups found it difficult to manage their data leak websites and host data on the dark web for download, which resulted in exposing data through public file-sharing websites including “Mega[.]nz” or “PrivatLab[.]com”. When these services are hosted on the clear web, they can be taken down and the download links are removed within two days. Another challenge attackers face is Dark websites, sites only reached through the anonymizing Tor browser, that are designed to prioritize privacy over performance.

Navigating through the dark web can be slow and frustrating when users are attempting to download leaked data, which can take nearly a week to download a single dataset. When attackers are hosting their data leak websites and payment portals, they become a target for law enforcement agencies. This situation happened to REvil. When an administrator rebooted the operation’s Tor-based websites, they discovered that someone else—either a former administrator or a law enforcement official—had a copy of the setup files, allowing them to hack REvil’s Tor websites.

  1. Operators Risk Unmasking

Some ransomware operations are extremely profitable due to victims paying cryptocurrency ransoms worth millions. According to a weekly German newspaper, by tracing cryptocurrency connected to the REvil’s former incarnation, GrandCrab, German police might have identified the suspected leader of REvil, Nikolay K., a Bitcoin entrepreneur. Police identified Nikolay after $17,000 in cryptocurrency had been paid to GrandCrab in 2019 by the Staatstheater in Stuttgart, connecting the payment to an email account by Nikolay K.

Sometimes living a ransomware-driven lifestyle and attempting to remain anonymous can take a toll on operators. One instance was when the Groove ransomware administrator, dubbed Orange, TetyaSluha and Boriselcin, posted on the Groove’s data leak site claiming that the experiment was designed to entice Western media. Boriselcin cross-posted the message on the XXS cybercrime forum claiming that the Groove group doesn’t exist and one person, working with other affiliate programs including BlackMatter and LockBit, was responsible. Orange claims that he was asked to create the Groove site for the purpose of writing an article about mass media manipulation.

Instead of taking their ransom earnings and exiting quietly, some ransomware leaders vent their frustration through Russian-language cybercrime forums, which indicates they’re under enormous stress maintaining operations pace. With law enforcement cracking down, emotions will run high and similar outbursts can be expected.

          Responding to These Trends

Ransomware groups will continue to evolve utilizing the seven trends mention above to further develop complex tactics and techniques to maximize the profit they extort from companies. That’s why it’s crucial for businesses to stay current with the latest threat landscape and be proactive in improving security measures to protect your networks.

At SpearTip, our 24/7 certified engineers continuously monitor your networks from our three Security Operations Centers for potential threats like those mention above. We also offer numerous advisory services including pre-breach assessment, red team exercises, penetration testing, and tabletop exercises to help companies identify their security weaknesses and provide remediation steps to improve your security posture. We examine the entire security posture from the top down during our risk assessment process and assess the gaps between your current state and where you should be to protect your organization.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.