Ransomware groups have terrorised businesses and public sector organisations since 2019, but last year the tide began to turn. Collaboration among law enforcement agencies led to high-profile arrests, and the business of ransomware has become riskier for the criminals. But the game is not over yet. This year, experts expect the ransomware industry to consolidate around the most sophisticated groups, to automate more of its attacks, and to shift its focus away from critical infrastructure onto corporate targets.
Last year marked a turning point in the fight against ransomware. Acknowledging the scale of the threat, Western law enforcement agencies formed dedicated units, such as Europol’s Joint Cybercrime Action Task Force or the FBI’s National Cyber Investigative Joint Task Force. This led to breakthrough arrests and the seizure of millions of dollars in cryptocurrency.
In November, for example, the US Justice Department seized $6.1m in funds traceable to ransomware payments linked to the infamous attack on managed service provider Kesaya. One arrest was made and charges were filed against Russian national Yvgeniy Polyanin, believed to be a senior member of the REvil gang. The FBI has offered a $10m bounty for any information on his whereabouts.
Ransomware in 2022: survival of the fittest
This crackdown is forcing the ransomware ecosystem to change, explains Yelisey Boguslavskiy, CEO and head of research at security consultancy Advanced Intelligence. But instead of weakening the ecosystem, it may be simply clearing out the less sophisticated groups. “The arrests are clearing the weaker ones, and those who are smart enough not to get arrested, they will keep growing,” says Boguslavskiy.
This could give rise to a few, highly sophisticated groups that dominate the ransomware business, agrees Jon DiMaggio, chief security strategist at threat intelligence vendor Analyst1. “The big players are going to become almost like big companies that suck up all of the good people in the field,” he says. “I think we’ll see bigger players having a larger impact as opposed to having a lot of medium-sized groups.”
We’ll see bigger players having a larger impact as opposed to having a lot of medium-sized groups.
Jon DiMaggio, Analyst1
Meanwhile, Analyst1 has witnessed ransomware groups forming a cartel, sharing tactics, command and control infrastructure, and data from their victims. Attackers then appear to be “reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue,” the company says.
The bigger these groups become, however, the more of a target they are for law enforcement. As a result, they are diversifying their methods to avoid detection. This includes using a wider variety of attack vectors, beyond the traditional email-borne attacks. “We just saw Log4j, a major CVE, now being exploited by ransomware groups,” explains Boguslavskiy. Using zero-day exploits as well as botnets and initial access brokers can also help groups evade detection.
To further reduce the risk of detection, some ransomware groups are automating their attacks. “Several gangs have added the ability for their ransomware to self-spread, often via taking advantage of [server message block] protocol and other networking technologies,” explains DiMaggio. “Previously, a human would use admin tools like psExec and scripts to turn off security features and spread the malware manually, one system at a time.” Analyst1 expects fully automated ransomware attacks to become commonplace in the next two years.
The crackdown on ransomware is leading some groups to reduce their reliance on affiliates, partner organisations that help identify and infect targets with their malware. The more affiliates involved in a ransomware attack, the higher the risk of disruption by law enforcement, and the larger groups appear to be minimising their criminal networks to make supply chains shorter and more integrated, says Boguslavskiy. “If a group is not focusing on one supply chain, it’s easier for them to survive a potential takedown.”
Ransomware in 2022: ransomware groups go corporate
DiMaggio expects that as ransomware groups grow, they will shift their focus away from critical infrastructure – attacks which draw media coverage and public outcry –towards less high-profile corporate targets. “They don’t want to go loud, they don’t want to be in the media,” he says. ” I think we’ll see more law firms [being targeted], banks, places that are financially stable.”
Meanwhile, ransomware groups such as Conti, Dopplemeyer and LockBit are hiring team members who understand the inner workings of the corporate world. “They’re hiring people with legal degrees, they’re hiring people who understand the corporate world,” explains Boguslavskiy.
They’re hiring people with legal degrees, they’re hiring people who understand the corporate world.
Yelisey Boguslavskiy, Advanced Intelligence
This is giving rise to new forms of extortion. Last November, the FBI warned that ransomware groups have threatened to sabotage a targets’ stock valuation by leaking critical data. Business-savvy attacks such as this will become more prevalent as the groups become more sophisticated. “Sometimes they get into the network and they have classified market data,” explains Boguslavskiy. “At this point, they don’t really have the capabilities to read it properly and to actually weaponise it … but considering the number of people they are hiring with corporate knowledge,” they soon will, he says.
Looking forward into 2022, the concentration of ransomware gangs into fewer, more powerful cartels means that companies in the private sector should remain on their guard. Well-funded and eager to survive, ransomware gangs are incorporating technology and business model innovations from the legitimate economy into their operations, Boguslavskiy warns, with potentially disastrous effect.
Claudia Glover is a staff reporter on Tech Monitor.