October 4, 2022 By Jennifer Gregory 4 min read

Ransomware gangs are major players in the cybersecurity space, especially in recent years. ZDNet reported that ransomware gangs increased their payments by over 311% from 2019 to 2020, with totals for all groups exceeding $350 million in 2020. Ransoms continued rising in 2021. Unit 42, a threat research team at Palo Alto Networks, found that the average payment in 2021 was up 78% to approximately $541,000, with demands from specific attacks increasing 144% to $2.2 million.

A few months ago, vx-underground posted an image they’d received from the LockBit ransomware group. The gang bragged that they had ransomed 12,125 companies, with varying degrees of success. If each of those companies paid an average ransom of $100K (a very low estimate, in terms of ransoms), that totals $1,212,500,000. LockBit has more than 850 published companies on their blog, more than any other ransomware group.

The FBI called the Conti gang’s ransomware variant “the costliest strain of ransomware ever documented.” Interestingly, Conti’s official date of death is May 19, 2022. However, the group may have set up its own demise because of mistakes that made it too risky to continue. And, on the same topic, REvil is back again as of May. This is either the third or fourth time they have re-emerged after arrests. Many regard the group as one of the most prolific ransomware groups to ever exist.

Why are these gangs so wildly successful? The two most active ransomware gangs in the first quarter of 2022, LockBit 2.0 and Conti, accounted for 58% of all incidents during that time, according to Digital Shadows. How do groups continue to reform and emerge even after the authorities catch and arrest the leaders?

Forming cartels for strength in numbers

When looking at the most successful groups, size is one factor that jumps out. The more members there are in the gang, the more resources they have, both in terms of skills and people. On a basic level, the larger groups are more powerful and tend to have more staying power. Law enforcement often keeps close tabs on key players. A larger group means that when one person is arrested or goes undercover, other skilled attackers can fill in.

Many groups take it to the next level by joining forces. According to a study by Analyst1, Twisted Spider (creators of Maze and Egregor ransomware), Viking Spider (creators of the Ragnar Locker ransomware), Wizard Spider (creators of Conti and Ryuk ransomware) and LockBit Gang created a cartel. As a cartel, the groups share resources such as infrastructure, victim data and tactics.

Changing tactics to evade authorities

Gangs know how their targets work. After an attack, honest cybersecurity workers study the incident. Many companies make changes to their security to reduce the risk of that specific type of attack. In addition, defenses — especially AI-based tools — continue to improve. A ransomware group that maintains the same strategy will subsequently be less successful as time goes on. The most resilient groups evolve their strategies based on their specific strengths compared to current vulnerabilities.

Although many groups use the same ransomware in most of their attacks, it’s important to remember that the group and the ransomware are two separate entities. Groups will often keep the same ransomware type and use a new delivery method. For example, UNC1878 used Cobalt Strike in 90% of its attacks in the last three years. But it recently used a customer-compliant phishing scheme to spread malicious JavaScript through a PDF.

In addition to changing strategies for conducting breaches, successful groups also continually evaluate their targets. While sizable attacks on large companies are the ones that make headlines, ransomware groups are increasingly moving to smaller targets. A REvil ransomware affiliate shared that large attacks make it easier for authorities to find them. They also said groups are realizing that demanding stable sums from mid-size companies, and only occasionally targeting enterprises, is a better strategy.

ZDNet reported in January 2022 that over half of ransomware attacks target banking, utilities and retail organizations. While a great deal of research has been published about industries targeted by ransomware gangs, the most resilient gangs do not focus on a specific industry. Instead of using industries to guide their attacks, the gangs tend to focus on the size of the company, specific vulnerabilities and their signature type of attacks.

The future of ransomware gangs

Interestingly, ransomware groups that shut down often re-emerge as a totally new group or join forces with other existing groups. For example, members of the GandCrab started REvil in 2019, and key members were arrested in January 2022 in Russia. REvil ransomware’s servers in the TOR network were up again recently, as was its blog.

When news hits of a gang shutting down, it’s tempting to consider that a victory. But as Satnam Narang, senior staff research engineer at Tenable told CPO Magazine, when one gang shuts down, another one emerges. Affiliates often have little loyalty to a specific group. They often help multiple groups by offering Ransomware-as-a-Service, where they sell their expertise and infrastructure to any group for a fee. This means those affiliates are still out there even after one major gang gets arrested and/or shut down.

The future of ransomware gangs is likely similar to the recent past. The most successful groups will dominate the attacks both in terms of volume and fees. Arrests and dissolving of the groups will likely only change the landscape of the gangs temporarily as the groups continue to re-emerge. While the focus on arrests and dissolution is the right move, organizations should continue to take charge of their own security by reducing their risk and vulnerabilities.

For more information, read the X-Force Definitive Guide to Ransomware here

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today