Gangs Shift Ransomware Attack Tactics

Ransomware gangs increasingly use their own or stolen computer code, moving away from a leasing model that made their activities easier to monitor, new research shows.

Numerous prominent hacking groups in recent years have functioned by leasing their malicious software and computing infrastructure to other bad actors, in what's known as ransomware-as-a-service. That model, which experts say turbocharged the number of ransomware attacks, was offered by infamous groups such as Conti, which shuttered Irish health systems, and REvil, deemed responsible for a 2021 intrusion at the IT management firm Kaseya Ltd. 

But now the number of smaller hacking groups has rapidly increased, with many of them deploying their own code or stealing it from others, according to Allan Liska, a threat intelligence analyst at Recorded Future Inc. The shift has coincided with a reduction in activity by some higher-profile groups, according to research Liska presented Friday after the CYBERWARCON security conference.

The evolution is complicating efforts to track various new groups, such as Onyx, which researchers believe reuses Conti's code and has claimed to target several victims. 

“In the last year, ransomware has become a race to bottom among ransomware groups,” Liska said. As a result, gangs are “stealing from each other, lying even more than usual to victims and creating havoc among investigators and law enforcement.”

Ransomware is a type of malware that encrypts a victim's computers. The attackers then demand a ransom payment to unlock them. Ransomware payments have skyrocketed in recent years, US government data shows, as many groups have adopted a type of double extortion. In addition to encrypting files and demanding money, they also are stealing private troves of data and threatening to release it if their demands aren't met. 

The Treasury Department said that US financial institutions reported nearly $1.2 billion on likely ransomware-related payments in 2021, usually in response to breaches originating with Russian criminal groups.

The payments more than doubled from 2020, underscoring the pernicious damage that ransomware continues to wreak on the private sector.

Liska said changes in tactics may be because the groups fear being targeted if they're part of a big group. The US Department of Justice on Thursday announced it had charged a dual Russian and Canadian national for allegedly working with the LockBit ransomware gang. Hackers associated with the Netwalker and REvil extortion groups have pleaded guilty in recent months. 

This month, the US hosted nearly three dozen countries for a ransomware summit in Washington. The pace and sophistication of those intrusions is increasing faster than the US government's ability to disrupt them, a senior Biden administration has said.