Security news that informs and inspires

Behind the Rapidly Shifting Ransomware Ecosystem

Over the course of the past year, several established ransomware groups disappeared, with a number of newer groups taking their place. In fact, out of the major ransomware threats operating at the beginning of 2021, only Conti continues to remain active, researchers have noted.

A handful of high-profile ransomware operators disappeared or shut down last year, including REvil, DarkSide and Avaddon. At the same time, a fresh wave of groups became more active, including LockBit and Hive, and even newer groups have emerged in the past few months, like BlackCat, AvosLocker and Entropy. As the ransomware landscape continues to change, researchers say an influx of threat groups represents cybercriminals flocking to take advantage of profitable ransomware operations.

“With tens or even hundreds of millions of dollars being paid out to these cartels it’s going to draw a lot of attention from criminals looking to cash in,” said Nick Biasini, head of outreach with Cisco Talos.

Even over the past few months, researchers have reported continual rapid changes to the ransomware threat ecosystem. While LockBit 2.0 and Conti have remained the top two ransomware threat actors from January through March 2022, an NCC Group Threat Pulse report on Wednesday found that the ransomware group with the third highest number of victims consistently alternated from the Snatch group in January, to the BlackCat group in February, to the Hive group in March (with Hive racking up a 188 percent increase in victims in March over February, according to NCC Group).

In a report looking at the top threat trends of the first quarter of 2022, Cisco Talos noted that no one ransomware family was observed twice in incidents that closed out the quarter, indicating the continued trend of “greater democratization of ransomware adversaries that Talos began observing last year.”

Several other factors may contribute to this fast-moving landscape, including the potential impact of law enforcement activities and rebranding by ransomware groups. Christopher Budd, senior manager with threat research at Sophos said that the U.S. government’s strong response last year in the wake of the Colonial Pipeline attack clearly demonstrated the risks for cybercriminals carrying out large scape attacks.

"Since then we’ve seen ransomware continue as a threat but not on that same large scale," said Budd. "This would seem to indicate attackers are adjusting to lower profile attacks that also have lower risks."

“Most of these new groups are not creating ransomware from scratch, instead they seem to be re-using old REvil, Conti or some other (temporarily) defunct group code."

At the same time, Budd said, the move to the “as-a-service” model has also reduced technical barriers to access and helped to “democratize” the market. In addition to an overall availability of resources, tools and services for cybercriminals eager to launch ransomware attacks, the leaking of code has also paved the way for a surge in newer ransomware groups. For instance, after the release of the Babuk RaaS as “open source” in April 2021, lower-level actors quickly took advantage, including an operator in June that used the Vidar malware to install the Babuk ransomware generated by the builder.

“Most of these new groups are not creating ransomware from scratch, instead they seem to be re-using old REvil, Conti or some other (temporarily) defunct group code,” said Allan Liska, intelligence analyst at Recorded Future. “Much like RaaS offerings, this allows a new ransomware group to get up and running really quickly without having to sign on to a bigger group.”

Still, significant and notable differences in the level of resources exist between the large and well-known ransomware groups, and those that are still emerging. Conti, for instance, has developed manuals and CONOPs for their affiliates, as well as solid partnerships with initial access brokers, making their operations established - something that they can leverage as part of their ransom negotiations as well.

“These smaller groups will struggle to get attention, which is fine for the first part of the attacks, the encryption, but not the second part where you try to extort victims by publishing files,” said Liska.

For enterprises, the rapidly changing ransomware ecosystem means that attacks will continue, especially as threat groups grow more targeted.

“The difficulty in preventing these types of attacks is that they are unlike traditional cybercrime,” said Biasini. “Traditional cybercrime tends to be very opportunistic with criminals attacking a high volume of victims largely randomly. These cartels are targeting networks and working to compromise them, for these circumstances re-evaluating any accepted risk or other known vulnerabilities is paramount.”

However, Liska stressed that the tactics being used by these groups are not drastically different. For defenders, that means that they can pinpoint common risks, threats and vulnerabilities in their environments in order to protect against ransomware attacks, regardless of the group behind the attack.

“Fortunately, for most organizations ransomware attacks from these smaller groups look the same as larger groups,” he said. “Their initial access methods are similar, they use the same tools to move around the network, and they deploy the ransomware the same way.”