Ransomware Gangs Evolving their Expansion and Attack Strategy

How are Ransomware Gangs evolving their game and strategy?

Ransomware gangs, through the expansion of toolset, adoption of new monetization models and use of advanced technology, are re-shaping the attack landscape - moving it away from the commodity-styled ‘spray and pray’ attacks to ones that are more targeted in scope and disruptive in impact.

Ransomware attacks are becoming more prevalent and a ‘weapon of choice’ for cybercriminals. Ransomware was named the top threat type in 2021 accounting for 21% of all cyber attacks1 while the total number of attacks witnessed a staggering 105% jump during 2021 compared to 20202. One of the factors fuelling the rise, is the active role of ransomware gangs who are devising new techniques, executing coordinated campaigns and running cartelized operations to realize greater payoffs. By leveraging complex vectors and unique tactics, these gangs are re-shaping the ransomware landscape, moving it away from the commodity-styled ‘spray and pray’ attacks to ones that are more targeted in scope and disruptive in impact.

But how exactly are ransomware gangs orchestrating the attacks and what key levers are they exploiting in their tradecraft? A number of them – that include, the expansion of toolset, the ability to rebrand themselves, adoption of new monetization models and operating structures, and the use of advanced technology.

How ransomware gangs are orchestrating the attacks and new key levers in their tradecraft?

Expansion of toolset

With cyber extortion turning out to be a thriving industry, several financially motivated threat actors are seen transitioning to targeted ransomware operations. Besides, they are embracing the use of novel malware, expanding the toolset, and incorporating new initial access vectors, to inflict maximum disruption. FIN7 (aka Carbanak), a Russian-speaking, financially motivated actor known for its resourceful and diverse set of tactics, custom-made malware, and stealthy backdoors, has added ransomware to its repertoire. Researchers at Mandiant, who continue to observe and track the group’s operations, have published a rich new set of FIN7 indicators of compromise based on the analysis of novel malware samples3. Among the notable shifts observed are diversification of initial access techniques to include software supply chain compromise and use of stolen credentials, data theft extortion, and evolution of PowerShell-based backdoor (known as PowerPlant) into new variants.

Similarly, another Russian ransomware gang has been reportedly repurposing custom tools developed by other APT groups such as Iran’s MuddyWater, to gain unauthorized access to victim’s network through the abuse of stolen credentials.

Constant rebranding and restructuring

A key feature in the evolution of ransomware gangs (especially the more accomplished ones) has been the ability to reinvent and rebrand themselves, applying lessons learned from their previous activities as well as those of other gangs prior to starting new campaigns. The emergence of the BlackMatter ransomware gang is a perfect example. Born out of the “retirements” of REvil and DarkSide gangs, BlackMatter publicly stated that it wouldn’t target critical infrastructures, a nod to the pressure designed for deterrence applied to the REvil and DarkSide groups (causing both to fold after their disruption of Colonial Pipeline and the meat supplier JBS). The threat group that created the REvil RaaS (aka Sodonokibi) is now identified as a former affiliate of GandCrab, which retired in 2019 and is claimed to have purchased the GrandCrab source code. In turn, the Darkside ransomware came from a former REvil affiliate that evidently decided to move up.

The REvil gang too has resurfaced amidst rising tensions between Russia and Ukraine, after having shut down in October 2021, following a law enforcement operation. However, instead of showing the old websites, the old infrastructure has been redirecting visitors to new URLs for an unnamed ransomware operation. Such rebranding efforts are helping the gangs draw fresh focus and attention to new campaigns while also serving to escape the law enforcement lens.

Shift in organization structure and business model

The ransomware gangs are increasingly becoming more sophisticated, not just in terms of business models but also in posturing as corporate entities. According to a study by Analyst14, several ransomware gangs including Twisted Spider (creators of Maze and Egregor ransomware), Viking Spider (creators of the Ragnar Locker ransomware), Wizard Spider (creators of Conti and Ryuk ransomware) and Lockbit Gang combined forces sometime in May 2020 to form a cartel of sorts to coordinate attacks and data leaks, share intelligence and infrastructure. The cartel-like operating model is often seen as an effective way for ransomware gangs to pool their resources, technology, infrastructure, and expertise and evade law enforcement.

Secondly, the business model of ransomware gangs has evolved significantly, with a majority of operators now adopting a franchise model – often referred to as ransomware-as-a-service (RaaS). The most notable example is REvil. Its business model relies on the recruitment of operatives to distribute the ransomware on its behalf, with the parent company taking a portion of all revenue. This approach has been enabling malicious actors to rapidly scale their efforts, while at the same time allowing them to weaponize data captured during incursions.

Another significant shift is with respect to the organizational structure, with ransomware gangs moving away from isolated cells to being operated as organized entities via an affiliated model and offering 24/7 help desks staffed by representatives. FIN7, for example, is known to have been operating a phony pentesting firm named “Bastion Secure” to hire network intrusion specialists. Another ransomware gang – Hive’s ransom notes are known to have a link to a “sales department” which allows victims to contact them through live chat – almost like customer service.

New ways to monetize attacks

The extortion tactics of ransomware groups have also evolved moving beyond the simple payment-for-decryption model seen in earlier attacks. Some have diversified into DDoS attacks, while others have opted for data theft, accompanied by ‘name and shame’ tactics. Threatening to publish victims’ data on dark web, auctioning off the data to make a profit and using the threat of security non-compliance to extort victims are some of the most common monetization models. The Babuk group, for example, now focuses entirely on data exfiltration rather than encryption while REvil gang is using open-source intelligence (OSINT) to track down their victims’ senior executives and customers and bully them into paying.

Expansive use of AI and automation

To increase the velocity and volume of attacks, ransomware gangs such as Lockbit, Ryuk, and Conti groups are adding automation capabilities across their attack cycle. They are increasingly using bots to automate the initial attack that gets them a foothold in the system which is lowering the barrier to entry for low-skilled threat actors. Wizard Spider for example, is adding new automation into Ryuk that uses Wake-on LAN functionality to discover hosts before spreading the ransomware payload on its own. It also uses the technology to power on systems so that it can infect them. A few others such as Hive, DarkSide and BlackCat are targeting virtualization platforms on dark web marketplaces. DarkSide, for example, deployed Linux versions of its ransomware on VMware ESXi hosts. Besides, these groups are also leveraging automated marketplaces to sell stolen credentials, and automated keyloggers, sniffers and brute-forcers among others to carry out large-scale attacks.

How can organizations thwart ransomware attacks?

The constantly evolving toolsets and attack tactics of ransomware gangs requires organizations to up the ante by adopting dynamic, multi-layered defence. It is essential to incorporate threat intelligence and early warning technologies into any posture. An ML-based threat hunting solution like SISA ProACT can help prevent and detect ransomware attacks through an expanded set of use cases and actionable threat advisories. Besides, best practices such as frequent patching, use of multi-factor authentication (MFA) and backups, and a robust endpoint detection and response (EDR) solution can help guard against ransomware attacks.

To stay up-to-date on new and emerging vulnerabilities and threat actors, subscribe to our Threat Intel reports or contact us to take up a Ransomware Assessment.


  1. https://www.ibm.com/downloads/cas/ADLMYLAZ
  2. https://venturebeat.com/2022/02/17/ransomware-attacks-surged-2x-in-2021-sonicwall-reports/
  3. https://www.mandiant.com/resources/evolution-of-fin7
  4. https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf

For a deeper understanding of zero trust security, its principles, and best practices, read our latest whitepaper on Six best practices for effective implementation of Zero Trust Security.

SISA’s Latest
close slider