Announcement
The ransomware ecosystem has changed significantly in 2022, with attackers moving from large groups dominating the landscape to smaller ransomware-as-a-service (RaaS) operations, seeking greater flexibility and less attention from law enforcement. This democratization of ransomware is bad news for organizations, as it has brought with it a diversification of tactics, methods, and procedures (TTP), more indicators of vulnerability (IOC) to monitor, and perhaps more hurdles to overcome when trying to negotiate a ransom or pay.
“We can likely date the accelerated landscape changes to at least mid-2021, when the Colonial Pipeline DarkSide ransomware attack and subsequent law enforcement shutdown of REvil led to the disbandment of several ransomware associations,” according to an annual report by researchers from the Cisco Talos Group. “Fast forward to this year when the ransomware landscape is looking more dynamic than ever, with groups adjusting to heightened law enforcement and private sector efforts, infighting and insider threats, and a competitive marketplace that forces developers and operators to constantly change. their connections in search of the most lucrative extortion operation,” they write.
Since 2019, the ransomware environment has been dominated by large and professional ransomware operations that consistently make headlines and even media attention to gain legitimacy among potential victims. We have seen ransomware groups giving interviews to journalist representatives or issuing “press releases” on Twitter and their data breaching websites in response to serious breaches.
The DarkSide attack on the colonial pipeline, which caused major power outages on the U.S. East Coast in 2021, highlighted the threat that ransomware attacks can pose to critical infrastructure and led to increased efforts at the highest levels of government to combat this threat. This increased attention from law enforcement has prompted underground cybercrime forum owners to rethink their relationship with ransomware groups, and some forums have banned the posting of such threats. Shortly thereafter, DarkSide went out of business and was followed later that year by REvil, also known as Sodinokibi, whose creators were charged and one of them was even arrested. REvil has been one of the most successful ransomware groups since 2019.
Russia’s invasion of Ukraine in February 2022 quickly strained relations with many ransomware groups that had members and affiliates both in Russia and Ukraine or other former Soviet republics. Some groups, such as Conti, rushed to take a war stance, threatening to attack Western infrastructure in support of Russia. It was a departure from the usual, apolitical approach used by extortionist gangs and drew criticism from other rival groups.
This was followed by a leak of internal communications that revealed many of the secrets of Conti’s work and caused unrest among partner organizations. Following a large-scale attack on the government of Costa Rica, the US State Department offered a $10 million reward for information on the identity or whereabouts of Conti executives, which likely contributed to the group’s decision in May to shut down operations.
The disappearance of Conti led to a drop in ransomware activity for several months, but this did not last long as the void was soon filled by other groups, some of them newly created and believed to be former members of Conti, REvil and other groups. which ceased to exist in the last two years, its members also had a hand in this.
Hardware, software, tests, interesting and colorful news from the IT world click here!
