Ransomware gangs are major players in the cybersecurity space, especially in recent years. ZDNet reported that ransomware gangs increased their payments by over 311% from 2019 to 2020, with totals for all groups exceeding $350 million in 2020. Ransoms continued rising in 2021. Unit 42, a threat research team at Palo Alto Networks, found that the average payment in 2021 was up 78% to approximately $541,000, with demands from specific attacks increasing 144% to $2.2 million.

A few months ago, vx-underground posted an image they’d received from the LockBit ransomware group. The gang bragged that they had ransomed 12,125 companies, with varying degrees of success. If each of those companies paid an average ransom of $100K (a very low estimate, in terms of ransoms), that totals $1,212,500,000. LockBit has more than 850 published companies on their blog, more than any other ransomware group.

The FBI called the Conti gang’s ransomware variant “the costliest strain of ransomware ever documented.” Interestingly, Conti’s official date of death is May 19, 2022. However, the group may have set up its own demise because of mistakes that made it too risky to continue. And, on the same topic, REvil is back again as of May. This is either the third or fourth time they have re-emerged after arrests. Many regard the group as one of the most prolific ransomware groups to ever exist.

Why are these gangs so wildly successful? The two most active ransomware gangs in the first quarter of 2022, LockBit 2.0 and Conti, accounted for 58% of all incidents during that time, according to Digital Shadows. How do groups continue to reform and emerge even after the authorities catch and arrest the leaders?

Forming Cartels for Strength in Numbers

When looking at the most successful groups, size is one factor that jumps out. The more members there are in the gang, the more resources they have, both in terms of skills and people. On a basic level, the larger groups are more powerful and tend to have more staying power. Law enforcement often keeps close tabs on key players. A larger group means that when one person is arrested or goes undercover, other skilled attackers can fill in.

Many groups take it to the next level by joining forces. According to a study by Analyst1, Twisted Spider (creators of Maze and Egregor ransomware), Viking Spider (creators of the Ragnar Locker ransomware), Wizard Spider (creators of Conti and Ryuk ransomware) and LockBit Gang created a cartel. As a cartel, the groups share resources such as infrastructure, victim data and tactics.

Changing Tactics to Evade Authorities

Gangs know how their targets work. After an attack, honest cybersecurity workers study the incident. Many companies make changes to their security to reduce the risk of that specific type of attack. In addition, defenses — especially AI-based tools — continue to improve. A ransomware group that maintains the same strategy will subsequently be less successful as time goes on. The most resilient groups evolve their strategies based on their specific strengths compared to current vulnerabilities.

Although many groups use the same ransomware in most of their attacks, it’s important to remember that the group and the ransomware are two separate entities. Groups will often keep the same ransomware type and use a new delivery method. For example, UNC1878 used Cobalt Strike in 90% of its attacks in the last three years. But it recently used a customer-compliant phishing scheme to spread malicious JavaScript through a PDF.

In addition to changing strategies for conducting breaches, successful groups also continually evaluate their targets. While sizable attacks on large companies are the ones that make headlines, ransomware groups are increasingly moving to smaller targets. A REvil ransomware affiliate shared that large attacks make it easier for authorities to find them. They also said groups are realizing that demanding stable sums from mid-size companies, and only occasionally targeting enterprises, is a better strategy.

ZDNet reported in January 2022 that over half of ransomware attacks target banking, utilities and retail organizations. While a great deal of research has been published about industries targeted by ransomware gangs, the most resilient gangs do not focus on a specific industry. Instead of using industries to guide their attacks, the gangs tend to focus on the size of the company, specific vulnerabilities and their signature type of attacks.

The Future of Ransomware Gangs

Interestingly, ransomware groups that shut down often re-emerge as a totally new group or join forces with other existing groups. For example, members of the GandCrab started REvil in 2019, and key members were arrested in January 2022 in Russia. REvil ransomware’s servers in the TOR network were up again recently, as was its blog.

When news hits of a gang shutting down, it’s tempting to consider that a victory. But as Satnam Narang, senior staff research engineer at Tenable told CPO Magazine, when one gang shuts down, another one emerges. Affiliates often have little loyalty to a specific group. They often help multiple groups by offering Ransomware-as-a-Service, where they sell their expertise and infrastructure to any group for a fee. This means those affiliates are still out there even after one major gang gets arrested and/or shut down.

The future of ransomware gangs is likely similar to the recent past. The most successful groups will dominate the attacks both in terms of volume and fees. Arrests and dissolving of the groups will likely only change the landscape of the gangs temporarily as the groups continue to re-emerge. While the focus on arrests and dissolution is the right move, organizations should continue to take charge of their own security by reducing their risk and vulnerabilities.

For more information, read the X-Force Definitive Guide to Ransomware here

More from Risk Management

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Tech Stack Diversity: Security Benefits and Costs

If your remit protects the information technology estate, you might be tired of the constant fire drills and reminders of upcoming disruptions. The barrage from cybersecurity vendors claiming "we have the solution" is almost equally exhausting. Start here: there is no magic bullet cybersecurity solution. If there was, its inventor would be a gazillionaire and have a list of enemies miles long. However, well-stacked solutions can significantly reduce your risk posture. The key is to place dependability over dependence, reduce…