The Evolution of Ransomware Operations: Latest Trends

Ransomware is a common weapon of choice for cybercriminals. Depending on the group size and experience, they target small, medium, and prominent victims in pursuit of a significant and quick payday.

The ransomware space is continually changing, so let’s look at some of the most prominent trends surrounding it.

Ransomware As A Service

Prominent hacker groups like REvil and Darkside are selling or renting their hacking tools to others while also providing support in the process. This has commercialized ransomware in a way, leading to a larger number of operating threat actors.

Ransomware Gangs Rise And Fall Quickly

Ransomware groups rarely stick around for long, at least not under the same name. Most groups enjoy a quick rise to the top before disappearing even quicker. Some of them, like REvil recently, fade and re-appear soon after.

Most of the disappearances have to do with police crackdowns or are intended as a precautionary measure for the groups. Some of the latest groups who went away recently are Abaddon, Noname, and Prometheus

However, just as the old ones go away, new groups appear almost instantly. The latest ones known to security researchers are CryptBD, Grief, Hive, Karma, Thanos, etc.

Common Rebranding Among Gangs

Many of the supposedly new groups, however, are actually old ones that operate under a new name.

A good example of that is a ransomware family that used to be called Ryuk. Incident response firm Coveware, along with Cisco Talos and other security researchers, believe that the same group is now called Conti.

Attacks Are Well Spread Across Groups

Cisco Talos researchers found that there was greater distribution in the attacks among groups recently. In fact, only REvil and Vice Society were responsible for more than one attack. It appears that the ransomware world is more “democratized” than ever.

Increase In Ransom Demands

Since the start of 2021, ransom demands have sky-rocketed, going up to an average of $5.3 million per attack. This is a 518% increase from the average ransom in 2020, according to Palo Alto Networks. The highest ransom demand was $50 million, compared to $30 million the year before.

The average amount paid is still relatively (10 times less than the demanded amount), but the rapid increase in demands is still alarming.


Do you want to protect yourself from a ransomware attack? Our Cyber Incident Response Team provides an elite response for your organization after a Ransomware or Cyber Extortion Incident. LIFARS executes Bitcoin payments and establishes cyber secure perimeter guided with proper regulatory and legal oversight. Ransomware Response and Cyber Extortion containment is our expertise.


Service Provider Attacks The Next Big Thing

There are usually two types of attacks:

  • Those targeting software/IT service providers
  • Those targeting physical supply chains or critical infrastructure

Attacks on service providers are expected to rise as they likely supply thousands of businesses with their software services, resulting in higher potential payouts for the attackers.

Not All Gangs Are Big Earners

Ransomware groups are still very much active, as Kela – an Israeli intelligence firm, reports that at least 11 groups carried out attacks just since Oct.25, based on their listed victims on their data leak portals.

Some of these groups are raking in big profits. The average ransom payout is $140,000, according to Coveware. While the average payout has stayed the same since Q2, the median has increased by more than 50%, meaning that hackers now seem to focus more on little or midsize victims after President Biden announced a crackdown on ransomware.

However, not all groups are enjoying the same success. As McAfee researcher Thibault Seret reported in his blog: “Lurking in the shadows of every large-scale attack by organized gangs of cybercriminals, however, there can be found a multitude of smaller actors who do not have access to the latest ransomware samples, the ability to be affiliates in the post-DarkSide RaaS world or the financial clout to tool up at speed.”

Smaller Players Get Their Share Too

However, there are other ways that smaller players can get their piece of the pie. They usually rely on innovative ways to use existing hacking tools and modifying it slightly to carry out their own attacks.

For example, a small group recently used the Babuk ransomware as a building block to insert Bitcoin wallets that they controlled and were able to demand ransoms worth thousands of dollars.

Ransomware Groups Face Challenges With Stolen Data

While stealing data and asking for ransom is a decent strategy, it isn’t foolproof. Sometimes, the data stolen isn’t essential, and the victims may not want to pay. Hosting the stolen data is also a significant challenge.

Many groups have had difficulties hosting the data on the dark web and have opted to upload it to clear websites like Mega[.]nz or Privatlab[.]com, where they are usually taken down after a day or two.

Additionally, since the dark web prioritizes security over performance, downloading the data can be a challenge in itself and can take hours, days, and sometimes weeks to complete.
Risk of Unmasking Is Stressful For Operators