Cybercriminals Diversifying Sees Ransomware Variants Double Since Start of 2022

News

Ransomware actors are diversifying their work models and broadening their networks as demand for their services continues to grow, leading to an explosion in the variety of different tools and resources being offered via illicit marketplaces.

August 26, 2022

OCCRP previously reported how after years of honing their skills on the darknet, cybercriminals are increasingly assuming the role of ‘service providers’, offering often subscription-based ransomware packages that allow even novices to attack individuals and organizations for profit.

Traditionally, when the gangs behind these operations have attracted too much attention from private security researchers or law enforcement, they’ve sent out signals via online channels that their organization is disbanding. This has frequently proven to be a ruse.

Instead of actually shutting down, these groups would simply rebrand under a new name, and begin using a new variant of their trademark malware. According to Jon DiMaggio, chief security strategist at threat intelligence platform Analyst1, that model has now changed.

“Now, when a group disbands or ‘retires’, it seems they sell off their code and the members break off to go and support other ransomware groups,” he told OCCRP. “The result we see is codes, tactics and behaviors from one group now being spread across several other ransomware crime syndicates.”

According to a recent report by FortiGuard Labs, a cyber threat intelligence platform, the number of different ransomware packages has almost doubled since the beginning of 2022. DiMaggio explained that alongside the ongoing boom in demand for ransomware services at large, it’s likely growing diversification and collaboration across the market that’s driving this trend.

The forums where these services are sold are usually highly competitive. Most if not all darknet marketplaces allow users to leave reviews, with many also offering dispute resolution services for dissatisfied customers, making it a largely reputation-driven industry.

That competitiveness in turn creates opportunities for experienced cybercriminals to work as freelancers, effectively contracting themselves out as consultants to help other groups develop their services. It also makes it more difficult for researchers and law enforcement to keep track of the various different actors at play.

“A lot of analysts are getting confused,” DiMaggio said. “They see source code from one gang that’s a closely guarded secret being used by another and assume they must now be working together, but instead it’s maybe just a developer from the first group helping the second upgrade their malware.”

CheckPoint Security, a cybersecurity solutions firm, stated earlier in July that ransomware attacks had increased on the previous year at an average of 50% across different sectors. Educational and research institutions have proven the worst affected, followed by government and military organizations, communications services, internet service providers, and healthcare.

The recent report by FortiGuard Labs notes that the use of ‘wiper’ malware, which destroys the victim’s data by wiping hard disks clean, also appears to be widening. The firm identified seven new variants of this type of malware in the first half of this year. Some of these have been used to stage attacks against government, military and civilian infrastructure in Ukraine, but they’ve also been detected in 24 other countries.

Even in cases where wiper malware is not used, there is still no guarantee that ransomware victims will see their data returned, reliant as they are on the word of their attackers.

Claudia Pina, a Portuguese investigative judge on secondment with the European Judicial Cybercrime Network, part of Eurojust, told OCCRP there are also dangers associated with cybercriminals retaining their victim’s information, or selling it on to other criminal groups.

“These criminals are ruthless,” Pina said. “Sometimes they’ll actually have penetrated the system a while back. They therefore have a lot more data they can keep, sell, use later, so there’s a risk the victim may be hit again either by the same actors, or others who have purchased that information from them.”

DiMaggio similarly explained that once an individual or organization has been targeted by a ransomware attack, they’re statistically more likely to be targeted again within the following few months, and that it’s a trend that’s only going to continue.

“Trading data used to be something that was only done by groups that had close relationships, but they’re increasingly acting as access brokers for other actors in the market,” he said. “In the end, these guys are just looking for different ways to monetize what they’re doing.”