Chris Swagler | November 14th, 2022

According to threat intelligence, ransomware groups are increasingly writing their own or stealing computer code, shifting away from a leasing model that made their actions easier to track. In recent years, numerous prominent ransomware groups have operated by leasing their malicious software and computing infrastructure to other threat actors, a practice called ransomware-as-a-service. The concept increased the number of ransomware attacks and was offered by infamous groups, including Conti which shut down Irish health services, and REvil which was responsible for a 2021 infiltration of Kaseya Ltd., an IT management company.

The number of smaller ransomware groups has rapidly expanded, coinciding with a reduction in the number of activities by higher-profile groups. The evolution is making efforts to track down numerous new groups, including Onyx, which researchers believe is reusing Conti’s code and has targeted several victims, more difficult.

Ransomware is becoming a more malicious practice among ransomware groups, who are stealing from one another, lying to victims even more than usual, and causing havoc for investigators and law enforcement. United States government data shows ransomware payments have rapidly increased in recent years, as numerous groups are using double extortion tactics. Additionally, they’re stealing private data and threatening to release it if victims don’t pay the ransom along with encrypting files and demanding money. According to the Treasury Department, U.S. institutions reported approximately $1.2 billion in potential ransomware-related payments in 2021, typically in response to breaches caused by Russian criminal groups.

Since 2020, payments have more than doubled, highlighting the terrible damage that ransomware continues to inflict on the private sector. Changing their tactics may be because ransomware groups fear being targeted if they’re part of a larger group. The U.S. Department of Justice charged two threat operators from Russia and Canada for allegedly working with the LockBit ransomware group. In recent months, threat operators associated with the Netwalker and REvil extortion groups pleaded guilty. The United States hosted a ransomware summit in Washington, DC this month with nearly three dozen countries in attendance. According to a senior Biden administration official, the rate and sophistication of the breaches are expanding quicker than the United States government’s ability to disrupt them.

With more ransomware groups looking to avoid detection by using their own codes or stealing them, it’s important for high-profile companies to always be vigilant of the current threat landscape and upgrade their network security measures to prevent future cyberattacks. At SpearTip, our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ data networks for potential ransomware threats and ready to respond to incidents at a moment’s notice. SpearTip will examine companies’ security posture to improve the weak points in their networks. Our team engages companies’ people, processes, and technology to fully measure the maturity of the technical environment. Our experts will provide technical roadmaps for any vulnerabilities we uncover and ensure that companies have the awareness and support to optimize their overall cybersecurity posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.