By Meredith Wallace
Ransomware gangs have evolved. Gone are the days of the hoodie wearing lone wolf somewhere in Eastern Europe and spray and pray tactics designed to find targets at random. Today’s most prominent financially motivated ransomware gangs have more in common with software companies if anything. They have organized into enterprises with HR teams, customer support specialists, and accounting offices that focus on making payroll. They even offer a wide range of products and services to other, less technically savvy groups seeking to buy data on the dark web or disrupt strategic targets.
The tactics used by today’s ransomware actors, such as encryption algorithms, have even made it challenging even for law enforcement organizations to retrieve encrypted files. Ransomware gangs also leverage bleeding edge encryption methodologies and an entire network of service providers like initial access brokers in a display of next level professionalism. This, coupled with new business approaches, allow these actors to differentiate their services and generate multiple revenue streams.
Taking a Page from Business: Ransomware as a Service
Ransomware-as-a-Service is a particularly popular and lucrative approach based on the software-as-a-service model, where actors sell their ransomware tools to others on a subscription basis to carry out their own ransomware attacks. The ransomware seller then receives a cut of any ransom payment from the person licensing their attack.
Ransomware gangs use RaaS to outsource attacks for a fraction of the profit while simultaneously scaling their reach. On the flip side, this model empowers gangs with a lower level of technical skills to use highly technical ransomware attacks. Developing a novel ransomware attack takes significant effort, and not every criminal gang wants to invest that time or money in developing novel attacks. As a result of this shift, ransomware has increased in volume because of lower barriers to entry.
As ransomware gangs have matured in both a technical and business sense, the number of attacks and actors involved are also on the rise. In the first half of 2022 alone, LookingGlass observed a total of 1,133 attacks from a record high of 26 ransomware families. In the first quarter of 2022, these 26 ransomware families targeted 563 victims. In the second quarter, at least 25 ransomware families remained active with a total of 570 victims by the end of June.
It’s worth noting that these 1,133 attacks were the ones that LookingGlass analysts confirmed and attributed to one of the 26 ransomware gangs we identified. Analysts used leak sites as part of this verification process to ensure a “chain of ownership” for each ransomware attack. These attacks typically retained the same top ransomware gangs in the top spot.
The Most Active Groups: LockBit and Conti
LockBit was by far the most active of the ransomware families LookingGlass observed in the first half of 2022, with a total of 406 victims throughout the first six months of the year. Conti came in second, with 99 victims in Q1 and 46 in Q2, even with shutting down operations in the wake of the Russia-Ukraine conflict.
Alphv took third place in Q1 with 46 victims and second place in Q2 with 51 victims (an 11% increase). Hive (38 victims) and Vice Society (17 victims) rounded out the top five most active groups in Q1. Vice Society more than doubled their victims from the first quarter, targeting 38 victims in Q2.
In the second quarter, LookingGlass observed a new group gaining traction, called Black Basta, who targeted 50 victims, making it the third most active. Some believe Black Basta is comprised of a few former Conti actors, among others like REvil, who rebranded. Events like this highlight how challenging attribution can be when it comes to ransomware groups as rebranding helps them obfuscate their identity, but also underscores the community they have developed in sharing common goals and tactics.
Throughout the year, LookingGlass also detected several noteworthy active data leak sites. Karakurt, which we assess could be a data extortion arm of Conti, listed 30 victims on their site in Q1. DD0Secrets, which is a non-profit collective, began publishing data of 24 victims – who were mostly from the infamous Anonymous hacktivist group – that were targeting Russia and its allies at the onset of the Ukraine invasion. The LAPSUS$ hacking group posted some high-profile victims before several of its members were arrested for their cybercriminal activities. And the infamous REvil appeared to dismantle after major arrests in early 2022.
Ransomware Outlook into 2023
Ransomware has become an oversubscribed business because governments and large organizations alike have been unable to stop it. Today’s attempts to hold ransomware actors accountable are not scalable – i.e., one-off arrests or seizures of crypto assets has not been enough to deter the activity.
While ransomware actors and other cyber criminals have largely refrained from attacking critical infrastructure in detrimental ways that could hold human life at risk, it is possible their risk tolerance could change over time as they grow in both technical capability and sophistication. As ransomware evolves, the way we track it must also evolve.
Looking ahead to 2023 and beyond, LookingGlass will continue monitoring these groups; however, rather than simply tracking the latest leak or which actors are affiliated with which groups, we will seek out the common vulnerabilities and exposures within their infrastructure.
The past several years of playing whack-a-mole against cyber criminals have proven unsuccessful at thwarting attacks or deterring these actors at scale. Stay tuned for our unique approach to illuminating weaknesses in these groups that will enable you and your organization to fight back at scale.
Thank you to the LookingGlass Analysis Team for their assistance with this research.