The decline of large ransomware groups like Conti and REvil has given way to smaller gangs, making threat detection a challenge.
The ransomware ecosystem has changed significantly in 2022, with attackers moving from large groups dominating the landscape to smaller ransomware-as-a-service (RaaS) operations seeking greater flexibility and less attention from law enforcement. This democratization of ransomware is bad news for organizations, as it has brought with it a diversification of tactics, techniques and procedures (TTPs), more indicators of vulnerability (IOC) to monitor, and potentially more hurdles to jump when trying to negotiate ransoms or to pay.
“We can likely date the accelerated landscape changes to at least mid-2021, when the Colonial Pipeline DarkSide ransomware attack and the subsequent shutdown of REvil by law enforcement led to the dispersal of several ransomware associations,” according to an annual report by researchers from the Cisco Talos Group. “Fast-forward to this year, when the ransomware scene looks as dynamic as ever: various groups are adapting to increased disruption efforts by law enforcement and private industry, infighting and insider threats, and a competitive market that has forced developers and operators constantly change their affiliations in search of the most profitable ransomware operation,” they write.
Since 2019, the ransomware landscape has been dominated by large and professional ransomware operations that have consistently made headlines and even sought media attention to gain legitimacy among potential victims. We’ve seen ransomware groups offer interviews to spokespeople for journalists or issue “press releases” on Twitter and their data breach websites in response to major breaches.
The DarkSide attack on the Colonial Pipeline, which led to major fuel disruptions on the US East Coast in 2021, highlighted the threat ransomware attacks can pose to critical infrastructure and led to increased efforts at the highest levels of government to combat this threat. This increased attention from law enforcement agencies has prompted owners of underground cybercrime forums to rethink their relationship with ransomware groups, and some forums have banned the posting of such threats. DarkSide ceased operations soon after, and was followed later in the year by REvil, also known as Sodinokibi, whose creators were charged and one of them was even arrested. REvil has been one of the most successful ransomware groups since 2019.
Russia’s invasion of Ukraine in February 2022 quickly strained the relationships of many ransomware groups that had members and affiliates in both Russia and Ukraine or other former Soviet states. Some groups, such as Conti, were quick to take a stand for war, threatening to attack Western infrastructure in support of Russia. This was a departure from the business-as-usual, apolitical approach that ransomware gangs have taken to operate, and drew criticism from other competing groups.
This was followed by the leaking of internal communications, which revealed many of Conti’s operational secrets and caused unrest among the partner organizations. Following the large-scale attack on the Costa Rican government, the US State Department offered a $10 million reward for information on the identity or whereabouts of Conti executives, which likely contributed to the group’s decision in May to shut down its operations.
Conti’s disappearance led to a drop in ransomware activity for a few monthsbut that didn’t last long, as the void was soon filled by other groups, some of which were newly formed and are believed to include former members of Conti, REvil, and other groups that have disbanded in the past two years.