Appgate shares its views on changing face of ransomware
Europol recently announced that Romanian authorities have arrested two individuals suspected of cyberattacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments.
Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.
Felipe Duarte, Security Researcher at Appgate says: "The actions by the international cyber security community and law enforcement against ransomware gangs over the last six months have forced gangs to be more careful with their operations. It's not uncommon nowadays for these groups to go dark after a major attack, changing servers and hiding their footprint. Some operations even go through a rebranding process after they get a lot of media attention, like the DarkSide ransomware that rebranded itself into BlackMatter.
"The US Treasury’s announcement about targeting corrupt crypto exchanges, and the recent news that Interpol and the DoJ have arrested REvil members, are good examples of actions targeting cybercrime operations. However, even with those major operations, it's highly unlikely that all REvil members will retire or be arrested. Members may simply go to another "project".
"This volatility undermines their perceived reliability. With ransomware groups continuing to rebrand and change their infrastructure, organisations face less pressure to pay ransomware groups when they are breached. You can’t pay a group that no longer exists, and you are less likely to pay the ransom if there is a possibility they will disappear with your money.
"Trust in law enforcement and government agencies to crack down on these attacks has also grown. For example, during the Kaseya cyber-attack in July, the FBI was able to seize the decryption keys and eventually share them with the victims of the attack. Organisations are, therefore, less likely to give into the demands of ransomware groups if they know that government agencies are cracking down on the recovery of their data.
"As a result, in the upcoming year, ransomware groups will likely have a lower profit margin if they continue to target high-profile organisations, where the government is likely to respond quickly to an attack. Some groups already announced changes in their targets list, BlackMatter ransomware, for instance, claims they do not attack hospitals, critical infrastructure facilities, oil and gas industries, defense industry, non-profit companies and government sector. Ransomware groups already target lots of smaller companies that often do not make into the news. It's possible they will focus on those organizations to avoid being disrupted by law enforcement operations.
"Organisations must still be vigilant as ransomware groups will learn how to operate more cautiously without being detected. Gangs find new targets every day. Ransomware attacks will not dramatically drop in the next year but they may become less profitable as the pressure by law enforcement and government agencies to crack down on the people causing these attacks continues to grow.”